From; Panda Virus Alerts: - Sasser creator copycats: a new worm has been discovered, Cycle.A - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, May 10 2004 - The arrest of the alleged creator of the Sasser worms has not been accompanied by a lull in the momentum of computer viruses. PandaLabs has detected the appearance of a new worm, Cycle.A (W32/Cycle.A.worm) which -like Sasser and its variants- exploits the LSASS vulnerability affecting some Windows versions in order to infect computers through the Internet. The scenario has changed, however, as indicated by the text found inside the virus code. In this text, the virus creator -alias Cyclone- claims to be Iranian and refers to the social and political situation in his country. The entire content of this message can be read in Panda Software's Virus Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/. Cycle.A tries to enter computers through communications port TCP45 in order to check if the system is vulnerable. If it is, the worm causes the affected computer to download a copy of itself called CYCLONE.EXE. However, this will only take place if the application TFTP.EXE is installed on the system. Additionally, and regardless of whether the worm has managed to copy itself to the targeted computer, the attempt by the virus to enter the system causes a failure in the application LSASS.EXE which makes the computer restart every 60 seconds. According to Luis Corrons, head of PandaLabs, "It was to be expected that sooner or later some other unscrupulous individual created a new virus that exploited the LSASS vulnerability. The real problem lies in the fact that the necessary code to exploit this security hole is in possession of many people who can incorporate it into their creations. Therefore, it is very likely that new variants of Sasser and Cycle, as well as other malicious codes that can act like them, will appear in the future." Meanwhile, the members of the Sasser worm family -which was joined yesterday by Sasser.E- continue to cause incidents on computers worldwide. In fact, Sasser.B continues to be one of the viruses most frequently detected by Panda ActiveScan, Panda Software's free online scanner. In order to prevent your computer from falling victim to Cycle.A, Sasser and its variants, or any other worm that exploits the LSASS vulnerability, it is necessary to install the Microsoft patch available from http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Panda Software also advises users to tighten security measures, ensure that they have a fully updated antivirus installed and keep themselves informed of any new viruses that could appear. Panda Software has made the updates necessary to its products available to clients. More information about these and other IT threats is available in Panda Software's Virus Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/ Panda Software's online support center (http://www.pandasoftware.com/support/) also offers help to users. In addition, the users can scan their computers on line for free with the ActiveScan solution, available in the company web page http://www.pandasoftware.com. NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member