From; PandaLabs in the hunt for the authors of the Sasser worms - Virus Alerts, by Panda Software (http://www.pandasoftware.com) Madrid, May 06 2004 - While the Sasser worms continue looking for new victims to infect, the hunt for their creators has started. By applying proprietary forensic IT techniques to the code of these worms, PandaLabs will look for clues that could lead to the arrest of their authors. "Letting viruses loose is a crime that should be investigated. The authors of Sasser must also be treated as particularly dangerous criminals, as evidence suggests that they also created the Netsky worms, and who knows how many other viruses," says Luis Corrons head of PandaLabs. The clues to the authors of computers viruses are hidden in the source code, lines of special characters that to the untrained eye don't make any sense, but that can disclose a lot of information to the experts at PandaLabs. "Virus authors usually have delusions of grandeur and therefore don't miss any opportunity to leave their mark in the viruses they create. However, this is often their undoing: it can be a date, the name of a city, a reference to a friend or girlfriend, etc., the slightest clue could be the key to detaining the author of the virus," explains Corrons. However, until these delinquents are caught, users should continue to keep their guard up against the highly probable appearance of new viruses. Considering how the previous attacks were carried out, it is likely that the authors of the Sasser and Netsky worms are putting the final touches to an extremely dangerous malicious code that -as they have done up until now- they will unleash at the weekend. More companies and institutions are reporting that they have felt the effects of Sasser in one way or another. These include Heathrow airport in London, where one of the terminals was brought to a standstill, some governmental departments in Hong Kong, as well as the Suntrust Bank and American Express in the USA. To mitigate the effects of the Sasser epidemic, Panda Software has made its PQRemove tools available to users. These applications not only disinfect computers but also restore system configurations altered by the worm. One of the PQREMOVE tools is specifically designed for networks, and removes Sasser and all its variants from any network that could have been affected. You can download at: http://www.pandasoftware.com/support/ The other PQREMOVE applications can disinfect any computer attacked by any of the variants of the Sasser worms. You can download at: http://www.pandasoftware.com/download/utilities/ User can detect and disinfect the new worm with an up-to-date antivirus, but it is important to install the Microsoft patch to ensure that Sasser doesn't re-infect computers. The vulnerability exploited by this worm was reported by Microsoft recently in bulletin MS04-011 (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx), along with the patch. Panda Software has made the updates necessary to its products available to clients. Panda Software's online support center (http://www.pandasoftware.com/support/) also offers help to users. Panda Software clients can update their antivirus through the applications installed on their computers. In addition, the users can scan their computers on line for free with the ActiveScan solution, available in the company web page http://www.pandasoftware.com More information about these and other IT threats is available from http://www.pandasoftware.com/virus_info/encyclopedia/ NOTE: The addresses above may not show up on your screen as single lines. This would prevent you from using the links to access the web pages. If this happens, just use the 'cut' and 'paste' options to join the pieces of the URL. *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member