Press Releases

Browse our press release archive

01 May 2004

Sasser internet worm attacks unpatched PCs, Sophos advises of virus threat

The vulnerability exploited by the Sasser worm has been described by Microsoft as critical
The vulnerability exploited by the Sasser worm has been described by Microsoft as critical

Infected by Sasser? Download the free disinfection tool from Sophos

Sophos researchers have warned computer users to protect themselves against the W32/Sasser-A and W32/Sasser-B worms, which spread across the internet exploiting a critical security vulnerability in Microsoft's Windows operating system.

The Sasser worm exploits the LSASS vulnerability first reported by Microsoft on 13 April in Microsoft Security Bulletin MS04-011.

"The Sasser worm spreads in a similar way to last year's serious Blaster outbreak, in so much as it travels via the internet exploiting security holes in Microsoft's software and does not use email," said Graham Cluley, senior technology consultant for Sophos. "At the moment it's not travelling as fast as Blaster did, but computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."

The security vulnerability, which Microsoft has described as "critical", is said to affect the following Microsoft software:

  • Microsoft Windows NT Workstation 4.0 Service Pack 6a
  • Microsoft Windows NT Server 4.0 Service Pack 6a
  • Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP 64-Bit Edition Service Pack 1
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 64-Bit Edition
  • Microsoft NetMeeting
  • Microsoft Windows 98
  • Microsoft Windows 98 Second Edition (SE)
  • Microsoft Windows Millennium Edition (ME)

However, the Sasser worm is only capable of successfully infecting Windows XP and Windows 2000 systems.

"System administrators should note that Sasser doesn't spread by email - so internet email scanning services will not be able to detect this worm, and an absence of reports at your email gateway does not mean you can rest on your laurels," said Graham Cluley. "Companies should deploy the patch from Microsoft, ensure their firewall is set up correctly and update the anti-virus on their desktop and servers."

Sophos issued protection against the W32/Sasser-A worm at 06:30 GMT on 1 May 2004. Protection was also made available against W32/Sasser-B . Customers using Enterprise Manager or the Sophos Anti-Virus Small Business Edition were automatically protected at their next scheduled update.

"Home users are particularly vulnerable to attacks like this, because they are often not running the latest anti-virus protection, haven't downloaded the latest security patches from Microsoft, and may not be running a personal firewall," continued Cluley. "All computer users should ensure their systems are properly protected from internet attacks like Sasser."

Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for critical Microsoft security vulnerabilities.

Sophos recommends that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx .

Sasser worm disinfection tool

You can remove the W32/Sasser worms automatically from infected computers with Sophos's free disinfection tool. Read more about the disinfection tool here.

Sophos reminds users to update their anti-virus protection and to ensure that they have installed the patch described in Microsoft Security Bulletin MS04-011.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.