From; Trend Micro Newsletters: As of May 2, 2004 10:07 PM (PST), TrendLabs has declared a High Risk Virus alert to control the spread of WORM_SASSER.B. Several infection reports have been received indicating that this worm is spreading in the Latin American region. This variant of WORM_SASSER.A similarly exploits the Windows =93Local Security Authority Subsystem Service=94 (LSASS) vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. =95 http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DMS04-011_MI CROSOFT_WINDOWS =95 http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx To propagate, this worm scans random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overrun on LSASS.EXE, which causes the program to crash and eventually require Windows to reboot. TrendLabs has released the following EPS deliverables: TMCM Outbreak Prevention Policy 112 (released) Official Pattern Release 883 (released) Damage Cleanup Template 334 (released) Vulnerability Assessment Rule 010 (released) Network VirusWall (NVW) Pattern 10125 (released) For more information on WORM_SASSER.B, you can visit our Web site at: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=3DWORM_SASSER .B. You can modify subscription settings for Trend Micro newsletters at: http://www.trendmicro.com/subscriptions/default.asp ______________________________________________________________________ *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=3Dsubscribe> A Technical Support Alliance and OWTA Charter Member