From; Panda Virus Alerts: - Panda Software reports the appearance of Sasser.A - Virus Alerts, by Panda Software (http://www.pandasoftware.com) PandaLabs has detected the appearance of W32/Sasser.A. This worm exploits the LSASS vulnerability to access the remote systems. This is one of the vulnerabilities published by Microsoft which affects LSASS (published in the bulletin MCS4-011 an available in the following address: (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx). Panda Software has received numerous incidents due this new worm. Its propagation is on the increase, and right now is one of the most detected by Panda ActiveScan. It behaviour is similar to Blaster. The worm scans random IP addresses until it finds systems with this vulnerability. Once found, it copies itself in Windows directory with the name AVSERVE.EXE and creates the folowing registry entry, to ensure it is launched when the system is booted: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve.exe = %windir%\avserve.exe In addition, the vulnerability uses a buffer overflow to make the LSASS.EXE application crash. Because of this, the system can fail. To prevent incidents with Sasser.A, Panda Software advises users to update their antivirus software. The company has already made the updates to its products available to users to ensure their solutions can detect and eliminate this worm. Similarly, users can also detect and disinfect this and other malicious code using the free, online antivirus, Panda ActiveScan, which is also available on the company's website at http://www.pandasoftware.com. More information on Sasser.A is available in Panda Software's Virus Encyclopedia, available on the company's website at: http://www.pandasoftware.com/virus_info/encyclopedia. Additional information: - Vulnerability: Flaws or security holes in a program or IT system, and often used by viruses as a means of infection. - Worm: This is similar to a virus, but it differs in that all it does is make copies of itself (or part of itself). More technical terms available on: http://www.pandasoftware.com/virus_info/glossary NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member