Sasser Creator Arrested but a New Variant Sasser.E Appears and Spreads Rapidly Around the Globe

Sasser Creator Arrested but a New Variant Sasser.E Appears and Spreads Rapidly Around the Globe Sasser Variants Still Maintain Red Alert Status • Despite the arrest of the creator of the Sasser virus, the appearance of a new variant indicates that there is an organized group of delinquents who are continuing to put new viruses on the Internet • In just a few hours since its appearance, Sasser.E has managed to infect computers all over the world • The new variant eliminates the variants of the Bagle worm in computers infected by that virus, which indicates that there is a continuing clash among the creators of these worm viruses • Just as its predecessors, Sasser.E exploits the vulnerability of the Windows LSASS in order to infect computers automatically • As the workweek renews, the number of computers affected is expected to increase notably Glendale, CA - May 9 2004 - PandaLabs has detected the appearance of a new variant of the Sasser worm virus which, according to data gathered by Panda Software international technical support network, it’s affecting computers all over the world. The appearance of the Sasser.E worm comes just after the announcement of the arrest of the presumed creator of the virus. According to Luis Corrons, Head of PandaLabs, “This fact confirms our fears that he is not the only person programming the Sasser and Netsky worms, but rather it is an organized group of delinquents. This seems to indicate that there is a kind of cyber war being waged among the creators of the Bagle, Mydoom, Netsky and Sasser worms, and it will continue to cause many more variants of the virus.” The intention of these “underground” groups is still unknown. “However”, adds Luis Corrons, “It’s possible that they are trying to attract attention about viral codes while at the same time carry out other types of acts that will translate into personal economic gains, such as stealing bank data in order to commit fraud. The psychological profile could mean that they are looking for fame, but the risks they are taking clearly outweigh the fame they could attain since these acts undoubtedly lead to prison terms. But it is unquestionably the conduct of a competent megalomaniac.” Sasser.E is just the latest in a string of variants A, B, C, D which the epidemic has caused in just a few days. Just like the others, Sasser.E exploits a security gap of Microsoft Windows known as LSASS, published in the bulletin MSO4-011. Sasser.E searches the Internet for vulnerable computers to attack. Once that is done, it creates a copy of itself to the Windows directory under the file name LSASSS.EXE. The results lead to a systems error which forces the infected computer to reboot every 60 seconds. In addition, and in contrast to its predecessors, Sasser.E has been programmed to erase from the system variants of the Bagle worm. Due to the fast-spreading nature of the variants, companies and businesses should take preventive steps before the renewal of the workweek on Monday morning. In order to prevent to system from becoming a victim of Sasser.E or any of its variants, it is necessary to install the patch which Microsoft offers to correct the security flaw LSASS, and which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx, update your antivirus protection and sep abreast of any new variants. Panda Software has made the updates necessary to its products available to clients. In addition, the users are advised that they can scan and repair their computers from any current cmputer virus on line with our ActiveScan solution, available in the company web page http://us.pandasoftware.com/acttivescan. Panda Software’s online support center (http://www.pandasoftware.com/support/) also offers help to users. Panda Software clients can update their antivirus through the applications installed on their computers. More information about these and other IT threats is available from http://www.pandasoftware.com/virus_info/encyclopedia/ About PandaLabs On receiving a possibly infected file, Panda Software's technical staff starts right to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. For more information: Alan Wallace [email protected] Tel. (818) 543-6909