|
|
|
Sasser.D Worm Arrives, Ready to Do Damage
By: Dennis Fisher
2004-05-04
Article Rating: / 0
There are 0 user comments on this Network Security & Hardware story.
UPDATED: A fourth version of Sasser has the potential to cause serious slowdowns and outages; a hoax e-mail claiming to contain a fix for the worm in fact contains a version of the NetSky worm.
A fourth version of the Sasser worm is now at work infecting Windows machines, and this one has the potential to cause serious network slowdowns and outages, experts say.
The Sasser worm family, like its namesake, journeyman major league catcher Mackey Sasser, who once became so overcome by nerves that he couldnt throw the ball back to the pitcher and tried to reinvent himself as a first baseman/outfielder, is showing signs of changing its stripes in order to survive.
Sasser.D appeared Monday afternoon and is similar to the previous three versions in most respects. The main difference in the new variant is that it uses ICMP echo requests, also known as pings, to look for other machines to infect. The Nachi worm of last summer had the same capability and, on networks with a number of vulnerable machines, the worm caused severe congestion.
 For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
The new Sasser variant could cause the same problems, experts warn. And, Sasser.D can scan multicast addresses, which has led to it causing some destabilization of routers that handle multicast traffic, analysts at The SANS Institute in Bethseda, Md., said.
Sasser.D also uses a different name for the file it leaves on infected PCs: Skynetave.exe. And it creates a remote shell on TCP port 9995, instead of 9996, which is used by the other three variants.
For more details on how Sasser works and how to protect against the worm, click here.
In addition to the new variant, there also is a hoax e-mail circulating that claims to contain a fix for Sasser. The message actually contains a new version of the NetSky worm.
The Sasser worms have infected at least 500,000 machines so far, and perhaps as many as 1 million, security experts say. The original worm is responsible for about 30 percent of those infections, with Sasser.B, Sasser.C and Sasser.D accounting for 40 percent, 10 percent and 20 percent, respectively, according to numbers provided by Network Associates Inc., based in Santa Clara, Calif.
Editors Note: This story was updated to include information on the number of PCs affected by the Sasser worms.
Check out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: 
|
|
�������x}ks8q�8c�H)ٖcm,k)fV(�8H-I?q
/=hv2s��6�Fh@goOD.\ݴ1ܦd���轿O$��}��L9UQ#C3W)9bPg�34mzΠN@\��8 \?g3Q;Y|���dRr[dQ=�ʲnMw�3a[mޡlطGZ*մ��*rM)֎o[©̝
w֨n>ڻPʪ)Jӻl_H��C[wn
-%;ZAPt'^O.[��a@.� X_d}+5��UJ�`Z.�
G$�/�Z@��Y^��oVs+ZV�H+(.##-byOa`%�pfQUrn�OgsKߺnZ:9?nΐ}3�fP+�M�~(#3h�ؕgxg�_:nNo9nڗݛ�9^Iŝ{N4ps
Zʿ:�['{:$?LmrG=�����.iTj{iE&�u}Br,�NdJq\��C�j�ݖeB_ȻX_��KŗG)H7�3ǚ� �-mdʩ�$|��S'Gk__ӬZxka
4�+@_x0N�D9�f�M�s,e��g{0A�M)��61t�k
�3!RBʼ��ĿI�K
_VPJB�-)\Dh+�Ԍ$ٛ�"G�;Cx��r!DKI��88�{���NR�.iغ�\48�?כUsN�VVt];7eяzZTp�x3nOSһ^�Z0*>c]�g%",Q�qsuTSt*Zl:��}�5գ"T���G'&-d`q86ayƔIG�?{x?�����aO>�)5>�'4�}t>�$��ticšh4έ@7&��h`C}ҍ�&MЀa㻣^h>[ <{� C
0ԟsZ
LP#AтMz>kI��-ߟ�L��s#08w�ɝ�5��<�Q5С4}a���q�jS?g !Tgxs��=w=
}
�o ��߃5�#z[-[�Z6x�GA }Q�|'sZ(�w^bS��y"�"D%� T
h��4�A�ǰ�E�EN�Aw;�.VKŤ�\*y"�Jm':.ܱ;PKR�x&,�S,BV-KᗄPf%i2ml�ƺń(VFN��l�(0��Vn)L>hQox@F6}Ľpe�
l4�T)f��FfO���~5lwnnB9\v,_zt?�Gc�NEi[J/ι_o2ES�|(�n^ßf�1�d��_w\ճ&AB
�glC(d'pC!f4Sy%ew{��RgaM8F2�b=k%nQ/|KĝR48'')Na�sW|��]Ө5@lX+�Mo?JՍE[�1(�Ŀ+úZ�jp �H�oh��koռe_x�um8Hi+-m"�rB`8��2f��ˣ(�U6LF%jIo2��j�A��5s7\Pe_M�82ei[F�ߪ%M*GV+Wbzgܲ��K���(�)m�ʥʫ�;qg@�4-=�f~o��yu3 ��N�ϣ )a!�c"R�+}ne�DIUU[33R�%f�x#e\4�6L XbOF�3F��K^Lg,/,�+YkuMٕ.RB�|vj�N Br�S��hfh:l�D�>t�ZB_`֚�?ΆRP$�P�/#[յ�/Q�+wڶ{M�t]QGq,��bjt,g��
@�7Q�Ro�>���\��!EX+LTBYad�[s�6/�J>f}<~�A+�p��&��>FkfSwhlrKcJ�rEu�x.(J9�)` N� 2&|h�:|�#H�& ,w�\d�����`�А��BrAa T+��S//��' 7(ڀ"P/?�ˇ%b�tXQ =j={e|h3ʫ22
y��ӅZ�
JL�qrheU-UjR9�_V�qT�G�"MϨ���p{�V�N0aE�>yL��F<|�˰"U`
}JZYPIb+�ģCY��V� W�MU���pn`w��y�~�t=t@X�qD��L��ҀJ
^�ƙl)ba��J)?�~mk5VΚ>9lv''<�
hr�͵m��7>�;"c'�R�q#�Z7pթr�Vg�HWtČer,×~a51r&`7o,sqI�['�ML
�"�4!`��X>�bxEO��p?l]�Z.+B�vQ�*�s>P� Y�o
-"Ԅ_8 +�~7?l)ɡX�XD`��R#.aǰ�^P(���㘘�\}?��(1@��sE1 7�k{J�~��Zg�^�pR�t,Е�䏽�nڧCR>Y/5;/xDŽ�u�_u{~{yH�Dyy���D߫V��LӀïRCR:"*Tjw�Zb8K}�LAIP
��4�p=".ƸCO^D^5OOۗ�k�mu�#4�-o�d�hhqv�NCR|I}ҽ^SzG}ْX+ G�7�E!B�ç<'�uxi)q��o2�X�G3~�ǎ�b
��-{}ں̂1Ka՜$�"k5B���fa�mFp6[�_aݪ�,d20�!&�Wtzăy��E9���� c@JA=�o8m._i%$C[(�����1t�e�}E/S)Q\(�OYi{L×$)��*9Q{_[a(עo1Mr!}J_cN߯Ͳi<"�
]l{pУXJq�gҽ8 $ubSP݃�_.Zr;�0y!Q2�7��?x�%E�馺[7db&u"N M5�W"Jv-O|�B�aqB=LPƓ4wɨ
ݖ:p<5GK:)!O\'02H P6,O&e=lI1 iKBih%bbVHJo�wռܞ6<1ޥ]ƙBvmK$��Ζ�&!�̗4.נ�E8��V�#[vx~�t�a}QגZ4ҫoeW!9��?<)@�s`*�=S�L aʕCrWkb~�]4ZU$=ݝ:�F`�cIŃ
O�~ؑq��eީӊ�N|�u�+KׅN�o͗�?݁C5=ICw5FO��.�Ս A�/�h9G�Q�b0&x&�4NdyWy#Kx�EıTrcc�䰎*hu5nWe��gNu.&i\vyo]9ar܂�cA�I��=G7o�m�\�>eNx>HАYc=p>}挜00;z[o�ue�9�NI}i^�w�~Zw[q@�ǠC�R�K1&�$Z^VP**sᔤ˞SǔW>��@ƽ�b[�0d&'q=+��=#tzooo=إ�֛~=*~�gL��w.�z@z@pw�{Zg%QJ=�,qM@jjiIr\"~^YZ�䑽�أp l$>?Gko D:*pctO�xc�Z�yi'K-h<^79#�`!3ȑ �+Ӡ��5M��H.v�@�$T8h�l?|7t5%pRx65�y�(1h4Rwot8�lv4�W
-;�6N��
ֱ��VاU� Wo�[1�$g�|o(o'xkn�pU�2� |kM-�%&p$~��M{fr+��(?���ܻ'Vx�e�[b[0| LcK�ֈe�Za32ϦΒYf]-�5���2_֨#V,�}3rޘ^"�'IOP�D��ҟ`,Hژ=2ϖ7)��#"T�j(;L\v�{᧓nIU5�Œ<*vdݧLs7�uXD21!�#^rO��"!xXO O�@y�d
/6�r98Sc6�7$\Q"J Њ�F2p���I�&~%g�0O��,'/xׄZ�_<ݩc^Br*,F-1~hƶ�dJ�UzHN�p3lśh�V|�R�X�졹mJ�VYE:�,B&D*�U�byKz�+��\�A'!vG$d)$
(==I d
SHgQW_�x�Jjmpb�kj/Κ=�t�ۤVK�;�;M
&T:��;XO�'~�Ll.GZu�6�oT$UQx)hE3yx�S%6DžtL'��gͦ/8hW�R%��T'RRЪ�a����$�%�I8H@
�zI҄Tٝ�_]'iʶ|W|qtMyRBF�ʗ>�g@a:Y��/�kK>}1?38fV.mLڌq5.*�DP"[�FL'0(oz3Hնuc[ry~EtRg!MKe��l>,�mz��\ߑ[O�g1r�Ԙh
�p�Km($�cp!�c��o(�Z+`miX�q~>H�'ܺzF��dI�fۘjR#rz4�P�s�0uؕժTjQ�ܣF +�:1G>/TɵF.0y�Ql��%x%Ekɽn=/=w�y��r-ݳ�i3�R`v1�)сr�O�}TK;TI`o3w[p\9d�|r|P�3�
c{_[
w5W��a���
a
��x.%5&o[I{e��>9bӹ�&t~юMݺݵnnT[B}Fsgy0OyZ^K\�#|aeY_W�lfmےV�o5JK$¨ӔAJL`��r;c��±\~��7�w�/Hk�_Cʵg㭸=0&SU5}Tbt4�D�vô*F6#ZIi�xw4�4x���Q)<�1�W<00t+P̲jN�T]OpY�=XCE3 cL�w>VHUGd}exx)J�"Ѝ�rKM7mk�ZtI��oB`(x���MA9(W�TD~b�Nǻ/�|�T�3/b=3-Ѩ#C
Ja�<$wzS4m��ԓFG�m)׀��g�xRW7�Ul�Nh$�~b Ӊ2uFf."�T(
4�`�V#C}A.[7VߺU Cvmx"D�� ;�/XNRAh0�y���Ԙ8@�!'vQ]Q
s�<�a�]��C^�!��M}S-l�� \Z��s4�pLFuԔ�fDR/3OaH�9p=S["dR1��@Q>�~1&giBE<
,iM�
�5"���)�S&QA!5�Q�"��5,ǰlFLNH�ǟl:�=�n1JOK\-B@e�b�q�yy
�¯05;:q��D��E�Q\U�P�*@J��>S�|���?pk2�%�Tmn$|�s�^7$Ӕ���,�,2E<�ezX<�^�'+ˬNCL�|8�k;Λ}-AG�,G71=�` ?ve.us�x\jH��]�$Ѕ:�y,@#!��9ω�k����a]?X/#}|Aa�P8�Z
��+z+U'I]U@)9CȮ�K�ƪZJ�W5coSl�w�e2Vq:%L�z%r�uW0`A='i92bg4t\�K�[�IS��k;��s�rֽ&Mrvjާu^E�OWa[kp��\MqIYuuݾ0�fbv>L55ۼ6/*�˙͓Q�9lvZNS�ʩ`Sg̵,�%�E�*wDE Gcqy�^ L;'Q_5ڧ�_;�?ϴ/3�v��{^F�(�_dٮ���d�v2�t2Ӂw2�dg�(��3ϡ�j9.~QJxdR$WɴVی ����|,y��|a2� 'GYkw�e`q`jG@' @9^�\�pm⦠n$B 5�O��W�}f�.omG;yh#62vf;�w�oCd
yR$�ٟ�>��x�P�[LԸʲGpoQV"
#�<5 b3�7>`Y)W8#Au�^�ebpb�^`l}�Uq4
5%pN!3J8?0�
HM�ԳpN08
!r�x/WCtzK=s�;u`�-� l>EM+�+J9wWrD�F�""C�QL`FTMV�YI2ZY�rF(�RB�4|O۴W)]7tSsc<{�+4�аY-P���p
E���Уc:f]$WeL=,e�'�æȗpޤv,�P�@0�~Y8P*`)�K�؞.F^͇$�M.�X?r{I�2hؐCK؊9N-#� N>@OÙCw�HX&38W
!�7.@c�
dC�!-�x
uYLFՋpO`������.�X&"�>6�v�>�L�c�? `�nwf9c�ˎu,s(ŬBSd��=�)OמbQ���qml�.�; +C�&:bz:SA\W �]r�⁜0ћqmj_��ԕu`g#�~"�3V[��œA6p8_�n90�kn>7Q$�L{���5HJ��B ϱemQ��]��&�\f��\j_J�.�ѮRTnbbq�8g�EΡ�t2cQ��*Ԯm^�x[9�Na^|ۺkAўY�mw|h[d-+^FL��!�Ү\)V�b�pC�{f�:ePeX�l'ak׀5V`��=H�]��qS`�huq#��1u��B\
(c��to L?Q1?c}]�nJQXƦa#�QaW:�67�n
M�yww{ftM:|E]E>*��A\gX3'
c��gb@8f�{9rW=?5f��l�vf~wxuzu2^GB~Dda��gZ/:?ʂo/�Q�F$V30(�y��lH�K9���a,����lu�Ke�br]MzS
cJ\g'�ۂ�~�Ӎŕk[Ƃ���ˉ;[�Z�o.^sƠ�{e��7�5w�SfwT0�G���=��`5>gvC�%�=\s.&tĵa=��.<'�̳�(`,��Lv"V�KjMΡmbqR!%f�Ʋ�� 7cP.X�]-'B@:S ��.x C�G�,$?��ˋ�}P�39�9�.@OI"cXM1}aE�|@tƩW3.r��ƕy�@Xqө8Yo\V.[��ByֽKgN!�$g~�V�;~v��?;m a�%
ѨT\��ߴ�kO��,�mݸ͓�.OhI:V��H]5OOۗ��P0��E�Ch��⍿#01�4[3ˬZY$I#;ov[M1�uc*aRSVs0v&b(1lS24K�_jj�Jl�xTʉi0oǝF6̈́
В��^&Ů�v�bec�yu+��
|
Network Security & Hardware 
