The Register® — Biting the hand that feeds IT

Sasser worm creates havoc

Blaster Mk II hits railways and banks

Free whitepaper – Avoiding 7 common mistakes of IT security compliance

European sysadmins returning to work after a long Bank Holiday weekend are in for a nasty surprise with the appearance of a fast-spreading Blaster-like Internet worm.

Sasser exploits a recently-announced serious Windows vulnerability - a buffer overrun in Windows' Local Security Authority Subsystem Service. The fix for this bug has caused widespread problems, but has now become double-plus critical. So apply with caution.

Since its arrival on Saturday, Sasser has spawned three new versions. None spread by email. Each targets vulnerable Win 2000 and XP PCs.

When launched, the worm registers itself in the system registry and begins to aggressively scan IP addresses for PCs which have the vulnerability described in MS04-011. A vulnerable computer will accept commands to download and launch copies of the worm. Downloading is carried out by the FTP protocol. As with Blaster, infected systems will often become unstable, but it's the aggressive scanning behaviour associated with the worm that's causing the most problems.

Computer systems of Sampo, Finland's third largest bank, RailCorp in Australia and various other networks were hard hit by Sasser, resulting in operational problems.

Defensive measures involve the use of firewalls and applying patches from Microsoft. Anti-virus software will help with disinfecting systems -but once again this been found wanting in stopping the outbreak of a fast-spreading Internet worm. ®

Related stories

Blaster body count '8m or above' - MS
Blaster beats up British business
Blaster rewrites Windows worm rules
MS score card: four patches, 20 vulns, heaps of trouble
MS rethinks security patch test scheme

Free whitepaper – Certify your software integrity with Thawte code signing certificates

Don’t Miss

HandcuffsFeds: Hospital hacker's 'massive' DDoS averted

Arrest foils 'Devil's Day' scheme

thumbs down teaser 75Buggy 'smart meters' open door to power-grid botnet

Grid-burrowing worm only the beginning

MicrosoftMicrosoft knew of nasty IE bug a year before attacks

Security delayed or security denied?

BlockMaster SafeStickBlockMaster SafeStick hardware-encrypted USB drive

Review Tough enough?