|The vulnerability exploited by the Sasser worm has been described by Microsoft as critical|
Infected by Sasser? Download the free disinfection tool from Sophos
Sophos researchers have warned computer users to protect themselves against the W32/Sasser-A and W32/Sasser-B worms, which spread across the internet exploiting a critical security vulnerability in Microsoft's Windows operating system.
The Sasser worm exploits the LSASS vulnerability first reported by Microsoft on 13 April in Microsoft Security Bulletin MS04-011.
"The Sasser worm spreads in a similar way to last year's serious Blaster outbreak, in so much as it travels via the internet exploiting security holes in Microsoft's software and does not use email," said Graham Cluley, senior technology consultant for Sophos. "At the moment it's not travelling as fast as Blaster did, but computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."
The security vulnerability, which Microsoft has described as "critical", is said to affect the following Microsoft software:
- Microsoft Windows NT Workstation 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Service Pack 6a
- Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP
- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP 64-Bit Edition Service Pack 1
- Microsoft Windows XP 64-Bit Edition Version 2003
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 64-Bit Edition
- Microsoft NetMeeting
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition (SE)
- Microsoft Windows Millennium Edition (ME)
However, the Sasser worm is only capable of successfully infecting Windows XP and Windows 2000 systems.
"System administrators should note that Sasser doesn't spread by email - so internet email scanning services will not be able to detect this worm, and an absence of reports at your email gateway does not mean you can rest on your laurels," said Graham Cluley. "Companies should deploy the patch from Microsoft, ensure their firewall is set up correctly and update the anti-virus on their desktop and servers."
Sophos issued protection against the W32/Sasser-A worm at 06:30 GMT on 1 May 2004. Protection was also made available against W32/Sasser-B . Customers using Enterprise Manager or the Sophos Anti-Virus Small Business Edition were automatically protected at their next scheduled update.
"Home users are particularly vulnerable to attacks like this, because they are often not running the latest anti-virus protection, haven't downloaded the latest security patches from Microsoft, and may not be running a personal firewall," continued Cluley. "All computer users should ensure their systems are properly protected from internet attacks like Sasser."
Home users of Microsoft Windows can visit windowsupdate.microsoft.com to have their systems scanned for critical Microsoft security vulnerabilities.
Sophos recommends that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.mspx .
Sasser worm disinfection tool
You can remove the W32/Sasser worms automatically from infected computers with Sophos's free disinfection tool. Read more about the disinfection tool here.
Sophos reminds users to update their anti-virus protection and to ensure that they have installed the patch described in Microsoft Security Bulletin MS04-011.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.