Sasser.D Worm Arrives, Ready to Do Damage

UPDATED: A fourth version of Sasser has the potential to cause serious slowdowns and outages; a hoax e-mail claiming to contain a fix for the worm in fact contains a version of the NetSky worm.

A fourth version of the Sasser worm is now at work infecting Windows machines, and this one has the potential to cause serious network slowdowns and outages, experts say.

The Sasser worm family, like its namesake, journeyman major league catcher Mackey Sasser, who once became so overcome by nerves that he couldnt throw the ball back to the pitcher and tried to reinvent himself as a first baseman/outfielder, is showing signs of changing its stripes in order to survive.

Sasser.D appeared Monday afternoon and is similar to the previous three versions in most respects. The main difference in the new variant is that it uses ICMP echo requests, also known as pings, to look for other machines to infect. The Nachi worm of last summer had the same capability and, on networks with a number of vulnerable machines, the worm caused severe congestion.

/zimages/3/28571.gifFor insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

The new Sasser variant could cause the same problems, experts warn. And, Sasser.D can scan multicast addresses, which has led to it causing some destabilization of routers that handle multicast traffic, analysts at The SANS Institute in Bethseda, Md., said.

Sasser.D also uses a different name for the file it leaves on infected PCs: Skynetave.exe. And it creates a remote shell on TCP port 9995, instead of 9996, which is used by the other three variants.

/zimages/3/28571.gifFor more details on how Sasser works and how to protect against the worm, click here.

In addition to the new variant, there also is a hoax e-mail circulating that claims to contain a fix for Sasser. The message actually contains a new version of the NetSky worm.

The Sasser worms have infected at least 500,000 machines so far, and perhaps as many as 1 million, security experts say. The original worm is responsible for about 30 percent of those infections, with Sasser.B, Sasser.C and Sasser.D accounting for 40 percent, 10 percent and 20 percent, respectively, according to numbers provided by Network Associates Inc., based in Santa Clara, Calif.

Editors Note: This story was updated to include information on the number of PCs affected by the Sasser worms.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: