The Sasser worm family, like its namesake, journeyman major league catcher Mackey Sasser, who once became so overcome by nerves that he couldnt throw the ball back to the pitcher and tried to reinvent himself as a first baseman/outfielder, is showing signs of changing its stripes in order to survive.
Sasser.D appeared Monday afternoon and is similar to the previous three versions in most respects. The main difference in the new variant is that it uses ICMP echo requests, also known as pings, to look for other machines to infect. The Nachi worm of last summer had the same capability and, on networks with a number of vulnerable machines, the worm caused severe congestion.
The new Sasser variant could cause the same problems, experts warn. And, Sasser.D can scan multicast addresses, which has led to it causing some destabilization of routers that handle multicast traffic, analysts at The SANS Institute in Bethseda, Md., said.
Sasser.D also uses a different name for the file it leaves on infected PCs: Skynetave.exe. And it creates a remote shell on TCP port 9995, instead of 9996, which is used by the other three variants.
In addition to the new variant, there also is a hoax e-mail circulating that claims to contain a fix for Sasser. The message actually contains a new version of the NetSky worm.
The Sasser worms have infected at least 500,000 machines so far, and perhaps as many as 1 million, security experts say. The original worm is responsible for about 30 percent of those infections, with Sasser.B, Sasser.C and Sasser.D accounting for 40 percent, 10 percent and 20 percent, respectively, according to numbers provided by Network Associates Inc., based in Santa Clara, Calif.
Editors Note: This story was updated to include information on the number of PCs affected by the Sasser worms.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: