Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Sasser Worm Spreads Automatically Through Windows Hole



 By: Larry Seltzer
2004-05-01
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Experts, who say the worm has the potential to spread far and fast, have assigned an elevated threat level to it.

A new worm has been detected by the virus research community that spreads through the LSASS vulnerability in various versions of Windows. Researchers and security companies are alarmed and have assigned an elevated threat level to the worm—named Sasser.A—even though it has not yet spread far.

Unlike the Gaobot variant found several days ago that exploited the same hole in Windows, Sasser can spread and infect automatically through the hole. Gaobot is technically a "bot," meaning that it has to be manually run by the user. The vulnerability was patched weeks ago by Microsoft.

According to Ken Dunham, director of malicious code for network security intelligence firm iDefense Inc., "Sasser.A has the potential to become very widespread in a short period of time." The fact that it has not yet spread far may be due, Dunham said, to aggressive patching by users.

Resource Library:

Symantec Corp. has given Sasser an elevated severity level of 2 and issued special definitions to detect it. According to Symantecs limited description of the worm, it spreads by scanning IP addresses for vulnerable systems through FTP port 5554. It creates the value "avserve.exe"=%windows%\avserve.exe in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Users and administrators should move quickly to apply the patch for this vulnerability, but test it beforehand. Microsoft has admitted that a bug in the patch can leave some systems unbootable.

Dunham is also troubled by what he sees as a new trend toward releasing malware code on Friday nights and Saturday mornings, after many security personnel have gone home. "Its the perfect time to strike, and the bad guys know it. Slammer struck during this same time of week, just over a year ago."

Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:  



  Reader Comments: Sasser Worm Spreads Automatically Through Windows Hole
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Larry Seltzer
 


x}kw89v2zۑrdK5,ēѡ$Hb"9$e[;~bVKZ#7-`U* Iȹ kBhnR?G}]zk;oHRmo?fTEK lwDjFɐ!5Mч)Q]7U S7S?`[(V;Y|}nvbk .hѴFb^P$ȁ_G-IJrDqDo;gEQ6 tTۖ/yoT| l߷gLw'ž=ax5ExLԨ#|xLk9Gd3#L=xZA/G L{x45mb'*cO^3hV\0F΄ۮۺ{C}ۈJ=: '5ʈr'"flsQ#@o6mX,.R-͌aBwtQźmyKGk Q1H M}<I%$7 Vmqb*0O~b4INXEEnڏuؾtÛkϭ!曩;]]sF"UM) O}iDmhK PQvdaF&kQ_7GZ(TJbEW╻a;4SdͰڼ{UMSJ{:Sn -đu-U`(ڭNs#wv@α{Ad}+5 9`Z,rG8y_4ttXBn ,:n#ty[^ T򕜦hGZNAv) ,f5< 3+i3*dVא-͋^m^o$׹Yng90gMYn^dH&.Nޕ|T|Y|؛ّ?ʰnO6(Zl׃$'A ϛ̀-s%08w{ɭ5zY05ݻi{`y1&դw; Tg ,ﺶ퓡>(@=90P lmV7L}``1 .͇{Z;r-Ea3C7Dإi/.B$(ZȻ!Alv [ķ Xxl++~'y%#!b['9Pv{B#ܞ}P/΍fB>ab -d[b|l eV&vpbB|#'dXr`Y \`+|h)lc lԨ[6؛rib>Ѹ79C0 Һ: sD-x' LF1pql0׾`-ϒmR@la} /< qa Sn693,X0NᔄWj->! 2i}M/Xgu1 :ʒ:L:%\uZĶ`漃d:N'`6?>y@O \nl0ħo4<3_N#kuM߄V 9u \Ʉ r}͚X 4ؐ)|&Bw7Cnc^ښtu.F(hJ ~ xz~#Jw}}tK]('S{FFJ V >zh'ѫ>Ug HIulX+nMo?HՍ pz1(ەa]jk-;?!d[o|aa1E]QXJKHD@CR)е ܚaY^`(txMʆТNw߶}|qö V9UV*{S#SV.hV^ǚa+ L 4 o# TolVCax9Z'AеMMߙzl.n 8y82Lm/APSt @Ie5=ゆ _ۄK a*81tkyq;_YvOŽtQzWcYg꼿egþ1GN(>kSMw \ >%\aQaSƖ4FXXoH] ˏ͎ǏƊR()πPgk+2h35sp?3~Ɋd1 خ mpAmpvv9N (k8xuO.#!cClȂu!MU-~!,n w]0AG50qH&;ßE68>n:+@5Lr q h5ނ[SsCťP Ъcf >̆U*J9ը`WbBc$B:Gd@}-`v56'wO6rh)6YS!RW dĞeeC5ed kC铨u8ۄ`gS/W e086. LB71lÛ#7a*r{6~ z1b`;7==#[(4Q+X916<`(ZU6Xk<v/H|[vw?IL%yT Jӳ $ +@:eo;Г3z\?n?UU;MyR̚+Ajm>a,0r:n\C)&&jldǶ[e7UVEL\}DcEi\ixm"=Ǫ\TuAR5T|)WR JL'Q!FN#ǸEB֢%3컟6B-ܝ`@O|C]+9b2q$yF œ%K'G=_lXC=B(tם/6f semn.`I3)` {qO4c3=#>7+sV\9''I9 g?amY:JBQ*NJ=x}5}uc7t 'xG ?ws~̾>adJd@*5-]-Jя{_ 11!`0$_,߫2t) 9~W9ހg |XTJJ 슣x9#T`| @-`'d1s<ēo =$} 'F+T6n{_L'+cI`jQ`w0D\*nLGFcc2]~>^++obP@/IlC.:;b4DϢ.}VwvHrۧ>\zu`\$'d0 srެ_'7b7 `x$Ǣ72l&zA Vq\5WY0pz)vBZUc1z Aq8<ڈFpv~[; ºUXȬe`#PH<>([*aHHR ~tDս< d'uN'2 m D785C*QW2EhqA%5':g <D:9NgxDﶾ6Po>Ib}K_cOߗf4~P6=8,rh縍vRtI1?x>ouޗ&e}z?"I^Í7"HdS+C25F#jikNEm펇{-~=`rشPbz&I;Ψև)uyjtJ>Stl 04H P6,O⼬e=lI1 iKihţDbbVHRo{Y؞6<6ޥ]ƙLVmK$h dgKU 2 KpkP I<+ c->+y-EY-V6y;qz])LU9$gYguϏJIbםes55cvdl:Gw*b9,_]hrrӅ[dnߢwz$smCgLرD}8%,/5g3 \:`A)6mn ^Uުf8Gq\x,3u\QUGveY8=xnXbitEG_|靁&M_ |2$?[Э>U/y{do&\)sGA,֘fu9k`Jgfm5֪rO0Cݡo;'i?{޽Ҿ2CWq k:i)`*98DhHeN d["2NIJf/<L8zdM#}l%3 <ki^h̠t{[f1vzfGP Yw>]`w.P[_zɞVYiAu/K\-"Pn'ZX|:%0**WxqQz?oA2K)v~n[/T*QцdZ.v ?JiQ)⻿<ӛXq& hf3E 3oֱ&QF\am"ĥA#WRA a"`. ͎-NďcSe/`@وmK?DU~kjխjX)h=Ob[ i4M0];q?Yq^OLT['φ;$M+@x:Oak)"L A1=Tcu7hK*iv)=] m}?&@ZΕXcAeLyRW_xRI+Tea(30(<2{$CوEHP呔=O)HJq[=;,{ jIA0/ZDwL\r 2@' : Gb{L$ u1s)OJ)o򶬙v֬t)եJpC▇tmv& KĆ>%A]ܶ=#ZۺNRTEJrKs:JMke԰tk3/HeaԢ)-B udQ?+GٚZۢҮ^Q J tff[9EögL$X#~R,t4@vd G$n^mwm;Ug,-_}褐tÃn>\wHy8i q^l-"Y۲N_t]X %n<*mf HY@B^Cl{ֶ>/'ဈxWPo_J1vSoK:w1F [` cY۪ڷTEߘ#\@}<>b]D5" D@M#6#xķǷuՍ Cp$5L۳Lmo+N_rwVӻyJpYܞR^+duon=97k&F?W yR,؎n=+xI =ȿx2ƠrW|V}yE8&ݘtKȠBpΠ&k1 Zݘ>pxmn$5?h۾ea+@mն-0֧Eaj; m~[K1˺tfҕDQoJY$VCK}_K_  c"F)@MAɼ=l$5:!oPJD:`ѿSXH2J&2k` n%'. za>Sj έm(PT5/yjg闶U08V"ȓyꦹ\ '2atXi!ZpP]?zUcكcfa\5]Ԛ`f?N͝~K!Cwf"GqrhS¯ţfRPhx | ǜO TIHpC(u[pbT苳!nP3 K?#"Y?aɛD)0; _(opwb䭽Ud? o ?3L[я{ɧ0f_盾" A|~Vq8ncL'w|k]K㞈+EetלSN|l: /x+UJjyo oߗ X*X\d9 5|5Xm,}YƆc3mx^HCoi.b:=>e9L!6v1h}P#3=%1$Ⱥc(`kjj5ʪ5AV^ q'!ckr|D,?t".+>1?B,v )_R6`L7WPm.MEfNȢaW\1\^r^:VXuRE.$˘x< g閭O1&^NE*ނ0H.uPc_B U@+Ěs]ÚOk>'5̈bvӚmlzZC캣J;7Д4c]8_q=&o7ݙB gnVufSnֹCOSmQaXXLeD d;ZM Ӱp-#|2I?NRuDwqfrTGZN)bYo_C)%WC@nHd|O ؆Hk䲈uv<an=ysb R.6c@qGzƌ2Ja\lGN$(" ~%9mDg/o| CVY `Oh$|bH\-S7}@|0\'&KPou5aȀ /9k=Cߑ;m 죃BiKsS_#蘱> CbOº 2k,aK.S#Yuhco>zSH_"m#!k^"Αf`NfXm^*%6ԭ8 h0.gj5NU%r@9 dU M]/W.nrl6b-i`I; aAJz>fFp22c1CLD:5 khٌ; ǁl2K!=ϲϝ%cZ|"{X#&3v)f9;{r~H 0b`)vqU@y+LD݂zGxznlJ ͍$u~k&CQj"([]ă0T]w7qsW隸+SfԂm>>Y5KvflxAQ(b8M t;ӟ{,ȏꗉmݜ(8r1)t/HzsJncڂxpCa]L'#}m})m})ilSe"P9 RK)oCy;"e|/@~.R"e:NJ;:)_.?.S޿Ly *7.MK??}JP9g]CuZ9u ^C)_]_|y)rVą)qJy!S;NBE%rXB]W¯xW=cIJpN!3J0?0 HM ԳpNzP?ѰsW髡z:på̹H7aQh@R%g>yM˫%KR1sWrDaDD!Q}DTMVY)qi3ZQ%rF(B4|O۴W ]7c yVi8an[z?"z5~D@N UEz_ƴmRf`Twc;7i5@>(L,(sT[^F%lOmB/V9x+=1!mƪ1iR {{[1g7ډ5u¿O.Г9+p' ? 3ʕB ȪGsoѨs7âB~&` tGЫ H[w1 lJ//ݓxCKQ,Vn;v=scxíd <@T6rނw2$zH,=I^L-q{̪{4yxaw. ]C/~lo pZ$ yϖ`ZՔ&agbBߖqMH{_f]Nyg#hn3F ^qm opkd9ck+cNP<틒P/tA>7=˿q]v`礻Lx w F ˂em%^#%#Ǝ$| 0qQy 0'crfO 0W]fA_f|bh>Zo/TùLHCD֣cg[4J_ t:쭠F |m)Ӻd,ӣ&uguI9>3ؕ  6LG4 (OP"q} !3O׮@ DY/vY{qH|&zu p$.6=k"2: gK“J9=vbbļlméԴ&x*Dov]|eD$zЧ EϨnSC>Xn TeεьQY#m'#8>\mQ޺pml.;+Lt;Oulם8G# P⁜0ћѲL:P1$+nvGX '>4'كt2`M(_ْk0.G/7~| r@bB܂O^\j\j_fՙJ.RTnbbq8g&;$gw:G-]U Xx kyfţ3W\4nZP+jdV@8̙LÛ~H2I5"`:Vڕ+ꃺiL1e~}<3G(v2,@PFRk+Wei$ցw/)>RnãXǸ [+ Qy:  <Щ0X\bXEe܌1E]hT.**S7 /ߵSycD]E>*Ѝ O!igNbcb@x/l_qxN|L/Xg4Ͷet g)C2^#s!? Ln2m^^kte(n aaX`5>gzC%݄& L,&j1Bi>c1w0s X+0_mkAScL5ʲ(`,Lv"VkMΡmbqR!EfƲ#7cP&X2m-ƯB@w:S .x C,$?ˋ}P cyx ŧ$NS7X|ZD+6ƕyz@Xqө8Yo7W.=wByڹIv!$;-v,8~vm}m a ѰT\_7[zkO:睫,O>~|hHAEeiAђu:WfK]ŇxEg_0]\}!l4{nF_1> UUbA$⑝7~I1u5U.IEɗs[]jβ[GQll٦4*d.%rR[W+R}& Cfaf-nǝlt n%96L]_Y PH8o'