From; Panda Oxygen3 24h-365d wrote: - New Virus Epidemic caused by Sasser A and B poses threat this week - Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com) Madrid, May 2 2004 - Four years to the date after the worldwide virus LoveLetter epidemic struck, we are before another great virus whose effects could reach historic dimensions. After the appearance of the Sasser.A, the Sasser.B has taken the top spot as the worm virus most detected and disinfected by Panda ActiveScan. Technical support teams from Panda are assisting users worldwide who have been affected by both of these worm viruses. "The most affected groups are the large computer pools which, despite upgrading their antivirus programs daily, will continue to be attacked until the system is installed with the latest patch by Microsoft. In these cases, the task is arduous and those in charge must correct it unit by unit if they want the problem to be fully solved," says Luis Corrons of PandaLabs. "Compared to other active viruses which have appeared on weekends, when activity is low - doubly so now that May 1st is a holiday in many countries --, this one has positioned itself as one of the quickest-spreading and virulent ones. All these signs make for a dark forecast for the beginning of the week when it is expected that the number of incidents will soar at the beginning of the work day," adds Luis Corrons. In addition, we expect there to appear new variants in the coming days, just as we have seen occur over the last few months. "It seems that another attack combined with simultaneous different variants is on the way," adds Corrons. "What's more, large companies which have remote users that go on line via virtual networks or which work with laptops without corporate firewall protection may go online on Monday and find themselves affected by the virus even though they have the patch installed and the antivirus upgraded, due to the fact that both variants use the TCP 445 port to spread and this port is the one used to share folders and printers on the Internet." This circumstance, coupled with the vulnerability which Sasser.A and B take advantage of, means practically all Microsoft systems will be affected, making millions of computers exposed to infection by this worm virus. "Users may be infected without even knowing it, the only symptom being that the computer will restart every time the user tries to go on line. Advanced users will detect the intrusion that Sasser creates in the register, the file avserve.exe that it creates in the Windows folder or in some cases it could appear in a Windows menu warning of problems with LSA Shell or errors in Isass.exe." adds Luis Corrons. Its behavior is similar to Blaster, which appeared on August 10, 2003. Since the date of the alert, 26 days passed before someone took advantage of it. But in Sassers case, only three days have gone by since Microsoft publicly announced the solution. As for Blaster, in the early moments of the attack, that is Monday August 11, it affected 2.5% of the computers analyzed by ActiveScan worldwide. This variant of Sasser is nearing 3% in just 24 hours. "The only solution possible is to install the Microsoft patch as soon as possible, upgrade your antivirus protection, and keep continually informed about any future developments that may come about," says Corrons. "We want to add that Panda customers are protected once they upgrade their antivirus and, in addition, we have published two free tools that can be used to combat the effects of these worms." If you have been affected, Panda recommends the following steps in order to disinfect and protect your system completely: - Disconnect all the cables/wires connected and used for internet use. This way the user will avoid the computer becoming affected again during the disinfecting process. - Take the following steps of disinfection for each one of the computers, including the servers, and do not go online until you are sure the system is completely free of the virus. - In order to prevent the continuous restarting caused by the virus, apply the solution provided by Microsoft NOTE: If you do not use the solution provided by Microsoft, the computer will not be protected from the virus and the restarting problem will continue each time you connect onto the Internet. If you are going to format and reinstall the system, you must include this patch for it to be protected from the virus. - Download the disinfecting system PQREMOVE (for example on the windows desk) from the website www.pandasoftware.com NOTE: If you have difficulties downloading PQREMOVE from the infected machine, try doing so from a virus-free computer. Once downloaded, install it in the affected machine and copy it on a disk. - Execute it. Even if PQREMOVE indicates that it hasn't found any active viruses in the system, press "continue" to carry out a complete analysis. - Restart the computer - Activate the antivirus - Carry out a complete analysis of the entire system with an antivirus program. More information about this threat and others, in the Panda Software Virus Encyclopedia, available at www.pandasoftware.com/virus_info/encyclopedia Help available in the On Line Support Center: www.pandasoftware.com/support Microsoft patch available at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Panda Software customers can update the antivirus right from the solutions installed on their computers Free detection and disinfection available with Panda ActiveScan, at www.pandasoftware.com *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member