Sasser worms kicks Microsoft's (LS)ASS
Recently the three variants of
"W32.Sasser.worm",
which is commonly known as "Sasser" has been
sending
alarming threats worldwide. The worms along with
the variant of
another worm, "Agobot" or "Agrobot"
attack those systems, which are not
protected against
Microsoft's Local Security Authority Subsystem
Service
(LSASS) flaw.
Microsoft had instructed its users to update
their
systems with a firewall and Microsoft Security Update
MS04-011
released on April 13, 2004, 18 days before
the worm was discovered. The worm
basically targets
Windows 2000 and XP machines but it slows down the
other
systems including the non-Windows systems.
The worm spreads to the PCs automatically, even
when
machines are idle. After infecting one PC it starts to
spread to
other computers in the network. The
users may see some error messages and
experience
frequent rebooting and crashes.
Already several thousands of PCs are affected by
this
worm and are predicted to affect more in the coming
days. According
to Mikko Hypponen, director of
antivirus research at F-Secure, the whole
incident
resemble that of the Blaster in August 2003 a lot.
In order to get rid of the worm, the users need
to
first patch the LSASS hole and then remove the worm -
otherwise the
worm can re-infect the machine.
The AV vendor of F-Secure has released a free tool
to
remove the Sasser.A, Sasser.B and Sasser.C worms.
Besides this,
Microsoft has also made a software-based
cleaner tool that automatically
removes the Sasser
worm from infected PCs after deploying the
security
update.