'Sasser' Worm Crashes PCs


Staff member
Mar 2, 2004
Reaction score
Chicago, IL
[size=+2]'Sasser' Worm Crashes PCs[/size]

[size=-1]By Brian Krebs
Special to The Washington Post
Tuesday, May 4, 2004; Page E01 [/size]

A new Internet worm that infected hundreds of thousands of computers over the weekend picked up speed as people returned to work on Monday and turned on their infected PCs, security experts said.

The worm dubbed "Sasser" began spreading early Saturday morning, infecting or crashing computers that run on the Windows 2000 and XP operating systems. The worm attacks systems that were not updated with software fixes Microsoft released less than three weeks ago to address security holes in Windows.

PCs infected with Sasser will either crash and restart repeatedly or start scanning the Web for other vulnerable computers to infect. The worm can infect unprotected Windows XP computers less than 10 minutes after they are connected to the Internet, said Mikko Hypponen, director of antivirus research at F-Secure Corp. in Finland.

Hypponen said most of the infected computers appear to be in Europe and Asia, where the workweek began earlier than in the United States. He estimated that "hundreds of thousands" of computers are infected worldwide. Atlanta-based Internet Security Systems estimated that the worm has infected between 500,000 and 1 million computers so far.

Unlike e-mail worms that are launched only when the recipient opens an e-mail attachment containing a virus, Sasser spreads to vulnerable computers without any action by the victim. Sasser wriggles into computers through a software hole in the Windows security program that decides who can gain access to a computer.

Network worms are an annoyance for home users, but they do their biggest damage inside corporate networks. Once activated, Sasser generates so much Internet traffic that it can overwhelm corporate networks with a flood of data as it tries to spread.

Antivirus companies initially considered Sasser a low threat because it was spreading slowly. But by Saturday evening, experts had identified a third version of Sasser capable of spreading 10 times faster than the original, said Joe Stewart, a senior security researcher for LURHQ, a security services company based in Chicago.

"It looks like the worm's author decided it wasn't spreading fast enough, tweaked it a little and re-released it," Stewart said.

Stewart said certain portions of Sasser's internal code closely resemble sections of the latest NetSky worm, a prolific family of viruses that spawned no fewer than 26 variants in the past two months. A message in the most recent NetSky worm reads: "Hey, av firms, do you know that we have programmed the sasser virus?!?."

Several large corporations around the world reported problems resulting from the worm. The worm infected at least 400 computers and laptops in Montgomery County government offices. Michael Knuppel, the county's chief technology officer, said workers were in the final stages of patching the desktop PCs when the worm struck. The infections did not interfere with the availability of any county services, he said.

Many organizations rely on firewalls to keep hackers and Internet viruses at bay, but such measures are less effective when someone plugs an infected computer into a network.

"We're pretty confident the worm came in from a laptop that someone had from home and brought into the office," Knuppel said.

Brian Krebs is a staff writer for washingtonpost.com.

© 2004 The Washington Post Company
Hey ray.... give us some first hand reporting :)
Last edited by a moderator:
please dont take those off, 50 angels die everytime you air those out.
This one isn't playing too nice. The campus here had to send out a notice to everyone telling us that not maintaining your computer and letting this thing loose is causing a major problem with the network. Apparently the network is now running at about 90%. :eek:
yeah, Im not to fond of these virus makers.

Pretty lame way to get attention and get your jollies. Personally, I think the guys that make these things just have no cahonas -
I don't get it.
Why would you gain satisfaction by messing up thousands of people ?
squirell said:
I don't get it.
Why would you gain satisfaction by messing up thousands of people ?
i guess i should download the fix from microsoft.
squirell said:
I don't get it.
Why would you gain satisfaction by messing up thousands of people ?
TO be honest, the real reason is, when these programmers who write this stuff go for a job in a "not-so-clean" industry, they can have bragging rights about encoding some of the biggest worms and trojans on the net. Believe it or not, McAfee and Symantec (Norton) all those big companies, would rather higher these "mean" programmers for their own research. Network Intrusion Detection is about as dirty as the IT Industry itself. :eek:
My buddy's comp just got infected by it, all he had to do was go dr.watson n then go to startup and unselect it.

Members online