posted on May, 3 2004 @ 07:41 AM
First, if you've kept up with your MS Windows updates, there isn't much to worry about.
Second, if you have a firewall, block port 445 to incoming traffic (although this port is usually closed by default). This will protect your network
connected to the internet.
Third, keep you AV products up to date.
Following these three simple rules should keep most PC's safe.
Here's more information from WatchGuard's Live Security service:
About the Virus
Beginning Friday evening a new worm called Sasser (technically known as W32/Sasser.worm) began spreading on the Internet. Like previous worms (such as
Slammer, and to some extent, CodeRed and Nimda), Sasser relies on exploiting a recent flaw in Microsoft Windows to spread. If the worm finds a
computer vulnerable to the specific Windows flaw, it infects that PC without any user interaction. Worms like Sasser that require no user interaction
tend to spread wildly.
What It Does
Unlike most worms, Sasser does not rely on email to spread. Instead, the worm attempts to connect to random victims on TCP port 445 and exploits a
Microsoft Windows vulnerability we described in an April 13 alert (specifically MS04-011). Its name arises from the fact that it exploits a buffer
overflow in LSASS (Local Security Authority Server Service) .
If the exploit is successful, the worm downloads a copy of itself to your machine and adds the file "avserve.exe" to the default Windows directory.
The worm also adjusts the registry to ensure that it can restart the next time you reboot. In fact, using a special Windows API, AbortSystemShutdown,
Sasser makes it difficult to restart or shut down your PC.
Finally, Sasser installs an FTP server on your computer, running on TCP port 5554 so that your machine can deliver the worm to others.
Once installed on a victim machine, Sasser repeats the entire process by randomly scanning IP addresses on port 445, searching for exploitable
machines. Out of the randomly scanned IPs, 50% are totally random, 25% have the same first octet as your IP address and the last 25% have the same
first two octets as your IP address. This helps Sasser to spread efficiently both on the Internet and within your local network.
What you can do
Make sure you've installed all of the Microsoft patches that we recommended in our April 13 alert! With these patches installed, Sasser cannot find a
direct path into your network. Take extra precautions to protect your network from your mobile users or visiting customers. If this worm can sneak its
way onto an unpatched Microsoft network, it will be difficult to contain.