Risk: Medium
European sysadmins returning to work after a long Bank Holiday weekend are in for a nasty surprise with the appearance of a fast-spreading Blaster-like Internet worm.
Sasser exploits a recently-announced serious Windows vulnerability - a buffer overrun in Windows' Local Security Authority Subsystem Service. The fix for this bug has caused wide spread issues, but has now become double-plus critical. So apply with caution.
Since its arrival, Sasser has spawned three new versions. None are spread by email. Each targets vulnerable Win 2000 and XP PCs.
When launched, the worm registers itself in the system registry and begins to aggressively scan IP addresses for PCs that have the vulnerability described in MS04-011. A vulnerable computer will accept commands to download and launch copies of the worm. Downloading is carried out by the FTP protocol. As with Blaster, infected systems will often become unstable, but it's the aggressive scanning behaviour associated with the worm that's causing the most problems.
Computer systems of Sampo, Finland's third largest bank, RailCorp in Australia and various other networks were hard hit by Sasser, resulting in operational problems.
Defensive measures involve the use of firewalls and applying patches from Microsoft. Anti-virus software will help with disinfecting systems -but once again this been found wanting in stopping the outbreak of a fast-spreading Internet worm.