Sasser Worm Strikes
Latest worm is slow moving and doesn't use email to spread.
By Roman Loyola
Tech security experts always tell you to never open email attachments without a confirmation from the email sender. That's because executables sent in the mail as attachments are usually used by viruses and worm to spread to other users. The latest worm to be released, Sasser, is an exception. It doesn't spread through email.
Sasser spreads by attacking a flaw in Microsoft Windows XP and 2000's Local Security Authority Subsystem Service (LSASS). Windows systems that have applied Microsoft Windows Update patch 835732 are protected against the Sasser worm. Sasser essentially looks for a port vulnerability on a randomly generated IP address. When it finds an opening, it overflows a buffer in LSASS.EXE. Sasser then uses FTP and connects back to the originating computer to download a copy of the worm.
According to early reports, Sasser has infected about 10,000 computers, and new variants are being released. Learn more about how Sasser works. Microsoft has set up an informational website about Sasser.
Sasser starts 128 threads that scan randomly chosen IP addresses. Because this process is CPU intensive, your computer will experience performance degradation. In some instances, your computer may be too slow to use. An infected computer will also display LSA Shell errors.
If you think you have the Sasser worm, there are removal tools available on the Internet. Click on one of the links below for a removal tool.
You can also remove Sasser manually by following these steps.
Protect yourself from Sasser
If you do not have Sasser, or you just removed it from your system, you need to prevent future infection by installing the security update that fixes the LSASS vulnerability. The update is labeled 835732 and is available at Microsoft's Windows Update site.
Microsoft also recommends using a firewall to prevent unwanted Internet traffic from attacking your computer. You can activate the built-in XP firewall using these instructions, or you can use a free third-party firewall such as ZoneAlarm.
Originally posted May 3, 2004