New Worm Infecting Millions Of Computers

[KingCobra]

Quote:

1 hour, 27 minutes ago

STOCKHOLM (AFP) - A new Internet worm is spreading worldwide and has probably already infected millions of computers, a Finnish anti-virus expert told AFP.

The Sasser worm can infect any computer that is switched on and connected to an Internet service provider, and unliked most other worms or viruses is not spread by email, said Mikko Hyppoenen, head of anti-virus research at the Finnish Internet security firm F-Secure.

"This is one of few worms that spreads automatically. It is enough for your PC to be on," he told AFP in a telephone interview from Helsinki.

The worm typically shuts down the computer then automatically re-boots it, repeating the procedure several times. Hyppoenen said computers behind a firewall should be spared from the attack.

He stressed that the worm, while inconvenient, was otherwise harmless and other experts said it was relatively simple to destroy.

"This worm does not have any criminal intentions, unlike the Bagle and Sobig viruses we saw earlier (this year) which took control of computers by opening back doors to send spam. Sasser doesn't do anything," he said.

"The Blaster virus in August 2003 infected millions of computers... this time there could possibly be more computers infected," Hyppoenen added, however.

Hyppoenen said experts did not yet know who was behind the attack but suspected that it was teenage hackers out to have some fun.

"It was probably some hobbyist, a teenager who has the skills and wants to show off," he said.

Sasser was first observed at 0001 GMT Saturday, and was infecting computers that had not installed the latest Microsoft software update in the past 18 days.

Installing the patch fixes the problem, but many users may find that difficult because their computer keeps on shutting down, Hyppoenen said.

He expected the number of computers affected by the worm to increase dramatically on Monday, when employees who had worked on laptop computers at home over the weekend returned to work and hooked them up to the office network.

The antivirus company Symantec said on its website that Sasser spreads by scanning Internet computers for "vulnerable systems" -- computers that were permanently connected to their Internet service provider.

It was first spotted on Friday, and Windows 2000 (news - web sites), Windows Server 2003 and Windows XP (news - web sites) were the exposed operating systems. Other Windows systems, Linux (news - web sites) and Macintosh (news - web sites), among others, were not affected.

Symantec described Sasser's geographical distribution late Saturday as "low" and classified the threat containment and removal as "easy."

Details of how to eliminate the bug are on (http://securityresponse.symantec.com).

"The Sasser worm spreads in a similar way to last year's serious Blaster outbreak, in so much as it travels via the Internet exploiting security holes in Microsoft's software and does not use email," said Graham Cluley, senior technology consultant for the US anti-virus company Sophos.

"At the moment it's not travelling as fast as Blaster did, but computers which are not properly protected with anti-virus updates, firewalls and Microsoft's security patch are asking for trouble."

Microsoft first reported the vulnerability on April 13.

The Russian anti-virus firm Kaspersky Labs described danger level for computer users from the worm as "medium" on its website.

Since laptops are not protected by company firewall systems if used on another server than the company's, they would run the risk of being infected, and in turn infect the company's network when used Monday in the office.

Sasser is the third wave of major Internet viruses to be launched this year, after Mydoom.A, which spread in January, and Bagle.B, in February.

Code:

http://story.news.yahoo.com/news?tmpl=story&cid=1512&ncid=1512&e=2&u=/afp/20040501/wl_afp/internet_virus_finland_040501203913

[Thankbot]

3 Users already said Thank You!

KingCobra, Bads, greypigeon,

[~*McoreD*~]

What does the worm try to do in your system:

# Attempts to create a mutex called Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
# Copies itself as %Windir%\avserve.exe.

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

If you run as a Limited User (at least for these couple of days), the worm will NOT have rights to copy itself to the Windows directory and you will be safer.

But if you are too late....
Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm, please do the following:

Enable the Windows XP Internet Connection Firewall or a third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting, reboot in safe mode.
Press CTRL+ALT+DEL.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Start.
Click Search and then search for and delete the following files:
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\*_up.exe
Click Start again, click Run, and then type: regedit32
Click OK.
In Registry Editor, locate and delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Go to the Windows Update site, and click the Scan for Updates button.
Download and install the critical updates recommended after the scan.

Source: www.Bink.nu