From: Panda VIRUSALERTSCOM - A new variant of the Sasser virus spreads rapidly throughout the world - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, May 09 2004 - PandaLabs has detected the appearance of Sasser.E, a new variant of the Sasser worm virus which, according to data gathered by Panda Software international technical support network, it's affecting computers all over the world. Common name: Sasser.E Technical name: W32/Sasser.E.worm Threat level: High Type: Worm Effects: It spreads and affects other computers. Affected platforms: Windows 2003/XP/2000/NT/ME/98/95 The appearance of the Sasser.E worm comes just after the announcement of the arrest of the presumed creator of the virus. According to Luis Corrons, Head of PandaLabs, "This fact confirms our fears that he is not the only person programming the Sasser and Netsky worms, but rather it is an organized group of delinquents. This seems to indicate that there is a kind of cyber war being waged among the creators of the Bagle, Mydoom, Netsky and Sasser worms, and it will continue to cause many more variants of the virus." The intention of these "underground" groups is still unknown. "However", adds Luis Corrons, "It's possible that they are trying to attract attention about viral codes while at the same time carry out other types of acts that will translate into personal economic gains, such as stealing bank data in order to commit fraud. The psychological profile could mean that they are looking for fame, but the risks they are taking clearly outweigh the fame they could attain since these acts undoubtedly lead to prison terms. But it is unquestionably the conduct of a competent megalomaniac." Sasser.E is just the latest in a string of variants A, B, C, D which the epidemic has caused in just a few days. Just like the others, Sasser.E exploits a security gap of Microsoft Windows known as LSASS, published in the bulletin MSO4-011. Sasser.E searches the Internet for vulnerable computers to attack. Once that is done, it creates a copy of itself to the Windows directory under the file name LSASSS.EXE. The results leads to a systems error which forces the infected computer to reboot every 60 seconds. In addition, and in contrast to its predecessors, Sasser.E has been programmed to erase from the system variants of the Bagle worm. Due to the fast-spreading nature of the variants, companies and businesses should take preventive steps before the renewal of the workweek on Monday morning. In order to prevent to system from becoming a victim of Sasser.E or any of its variants, it is necessary to install the patch which Microsoft offers to correct the security flaw LSASS, and which can be downloaded from http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx, update your antivirus protection and sep abreast of any new variants. Panda Software has made the updates necessary to its products available to clients. Panda Software's online support center (http://www.pandasoftware.com/support/) also offers help to users. Panda Software clients can update their antivirus through the applications installed on their computers. In addition, the users can scan their computers on line for free with the ActiveScan solution, available in the company web page http://www.pandasoftware.com More information about these and other IT threats is available from http://www.pandasoftware.com/virus_info/encyclopedia/ http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=47 232 NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member