Sassy New Worm On The Net

There is a sassy new worm circulating on the net and it's looking for your PC. It's called Sasser and it actually comes in several versions or "variants."

Sasser is different than most other computer worms and viruses because you don't have to click on an attached file to be infected. Instead, it finds you. The worm looks for "open ports" on PCs running Windows XP, Windows 2000 and Windows server software. Other versions of Windows and other operating systems, such as Macintosh and Linux, are not affected.

Even anti-virus software won't completely protect you from Sasser, but Microsoft posted a fix or patch for it on April 13. If you haven't already updated your computer, you should do so now by going to Windowsupdate.microsoft.com. It will scan your machine and, if necessary, install the latest security patches to protect you from Sasser and other known vulnerabilities. Updating your machine at this Web site does not protect you against viruses in general so you should still make sure you're using up-to-date anti-virus software.

Microsoft has posted additional information including a free scanning program to check if you're infected visit www.pcanswer.com/sasser.htm where you'll find links to a number of useful Web pages from Microsoft and other vendors. The computer giant also recommends that you use firewall protection, especially if your PC is connected to the Internet via a broadband connection such as a cable modem or digital subscriber line (DSL). Windows XP users who don't know how to enable the built-in firewall can do so automatically by going to microsoft.com/security/protect/ or follow the link at pcanswer.com.

The Sasser worm takes advantage of a known flaw in Windows that allows it to exploit what is known as a LSASS buffer overflow. According to a Microsoft bulletin "an attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges."

So far the Sasser worm has not been reported to destroy files or do other permanent damage but worms like this can be copied, enhanced and morphed to deliver more than their initial payload. That's another reason why it's important to apply the patch to protect you.

Sasser spreads through randomly selected IP (internet protocol) addresses. According to Joe Hartman, director of Trend Micro anti-virus research group, the worm has spread "about 22 percent" during the morning of May 4. Hartman says that this worm's infection rate can be exponential. "With more infected systems that virus can target and search for more unpatched systems much quicker." If you have thousands of additional infected systems you have thousands of additional attackers searching and probing the global internet and looking for other systems to infect.

By Larry Magid