Sasser Worm Could Hit Hard Today

Experts warned it could spread quickly today as workers returned to the office with infected laptops.

Microsoft issued an unusual weekend security warning Saturday that a worm has been unleashed on the Internet taking advantage of a security hole announced publicly last month (see story). Microsoft once again urged users to install its most recent critical Windows updates.

Later yesterday, Symantec upgraded the Sasser threat to 4 on its scale of 1(very low) to 5 (very severe) because of the rising number of infections.

Sasser spreads by scanning IP addresses for access via TCP Port 445 looking for vulnerable systems, according to Symantec. When it finds an unpatched Windows XP or Windows 2000 computer, Sasser.A adds the file "avserve2.exe"="%Windir%avserve2.exe" in the registry, tries to block attempts to shut down or reboot the infected computer (by using the AbortSystemShutdown application programming interface) and then begins scanning other systems via an FTP server on TCP Port 5554 seeking to spread itself, Symantec said. Infection can cause "significant degradation in performance," Symantec added; no additional information on possible malicious payload was available.

Symantec Enterprise Solutions


Popular posts from this blog

Civilisational Data Mining

The Nature of Nurture?