New Sasser worm spreads without the help of email


4 May 2004

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Sasser, one of the latest in a series of worms to appear this year, has been discovered to infect PCs without any user intervention as it doesn’t need email to help it spread. Meanwhile, users have also been warned to beware emails that pose as a cure for Sasser as these could contain the worm Netsky-AC.

Also called W32/Sasser.worm, the malware was first spotted last Friday and has been spreading quickly since. Sasser exploits a recent flaw in Windows and any unpatched computers without protection from this may be vulnerable. Instead of spreading by email, Sasser tries to connect to random machines through TCP port 445.

If it locates a vulnerable system, the worm downloads a copy of itself to that machine and adds a file to the default Windows directory. It adjusts the registry to ensure that it can restart the next time the PC is rebooted. Sasser also makes it difficult to restart or shut down a PC. Finally, Sasser installs an FTP server on an affected PC, allowing it to deliver the worm to others in turn.

In a new development, researchers have since found that emails purporting to come from an antivirus provider may contain the worm W32/Netsky-AC. The messages warn against Sasser and other worms such as Netsky, Bagle, Blaster or MyDoom. They contain an attachment which users are told can disinfect their PC. However, this is just a trick designed to make users unknowingly execute the worm’s payload, according to Graham Cluley, senior technology consultant for Sophos. “The Netsky author is preying on users’ fear of computer attack,” he said.

Sophos researchers have also discovered hidden text in the Netsky-AC code that appears to suggest that its author and the writer of Sasser are one and the same. The message reads: “Hey, av firms, do you know that we have programmed the sasser virus?!?. Yeah thats true! Why do you have named it sasser? A Tip: Compare the FTP-Server code with the one from Skynet.V!!! LooL! We are the Skynet… “

Grahm Cluley commented: “The series of Netsky worms – like Sasser – have been tremendously successful at spreading, but it’s hard to be 100pc certain at this stage if the same people are behind both viruses.”

By Gordon Smith