Author leaves warning in latest Sasser worm

Antivirus companies discovered a fifth version of the Sasser variant this weekend, within hours of German police arresting an 18-year-old man who confessed to being the Sasser worm's author.

Antivirus companies discovered a fifth version of the Sasser variant this weekend, within hours of German police arresting an 18-year-old man who confessed to being the Sasser worm's author.

The latest variant, Sasser.E, was released a week ago, according to Microsoft. It attempts to warn people whose computers are vulnerable that their systems have not been patched for a widespread Microsoft Windows vulnerability exploited by the program.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"It appears that whoever released it is trying to notify people that their systems are vulnerable," said Oliver Friedrichs, a senior manager in Symantec's security response center. The security company first captured a copy of the worm at 1 a.m. on Sunday, but Friedrichs said the spread of the infection is moving slow enough to indicate that the worm could have been released earlier in the week.

German authorities arrested an 18-year-old resident of Waffensen, a small town in the Lower Saxony region of Germany, late on Friday, according to Microsoft, which tipped off authorities after informants came forward with details about the suspected Sasser author. German law enforcement forces believe that the suspect also coded all 28 versions of the mass-mailing computer virus NetSky.

While antivirus experts are not positive whether Sasser.E started spreading before or after the arrest, Microsoft believes that the fifth version of the worm was released four days before the teenager was arrested, according to a representative of the software giant.

"Microsoft's technical analysis of this variant indicates that the E variant was released on Monday, four days prior to the suspect being taken into custody," the representative said.

Antivirus experts do not expect this latest version of Sasser to spread as fast as previous variants. Sasser.E is currently rated a low security threat by antivirus firm Network Associates and rates a "2" on rival Symantec's five-point scale. It is believed to have infected fewer than 100,000 computer systems since its discovery on Saturday night, said Jimmy Kuo, a research fellow with antivirus software maker NAI.

Earlier versions of Sasser received a medium threat rating, with some estimates putting the level of attacks at 500,000 computer systems in the first several days.

Kuo said that additional laws may be necessary to dissuade virus writers from releasing their programs onto the Internet.

"We would hope that there could be laws that would prohibit the posting of malicious code," Kuo said. "Sasser was partially written by some malicious code that was downloaded by the Internet."

This latest version of Sasser attempts to disable Bagle variants by removing the registry keys created by the competing worm. Previous versions of Sasser did not contain this feature.

The Sasser.E code includes this warning to victims of the worm:

1. Your computer is affected by the MS04-011 vulnerability
2. It can be that dangerous computer viruses similar the Blaster worm infect your computer
3. Please update your computer with the MS04-011 LSASS patch from the website
4. This is an message from the SkyNet Team for malicious activity prevention

Sasser.E also creates a remote shell on TCP--Transmission Control Protocol--port 1022, rather than 9995. And it also uses file transfer protocol on TCP port 1023, rather than 5554.

CNET Reviews
Sasser prevention and cure
How to guard systems
against the worm.
Also: Sasser prevention and cure.

One antivirus company, Panda Software, suggested the timing of the attack may indicate an "organized group of delinquents" is creating Sasser, since the company's detection of the latest infection came after the arrest of the 18-year-old in Germany.

"This new variant has not gone as far afield in spreading," said Fernando de la Cuadra, an international technical editor for Panda Software. He suggested that the slow rate of infection is largely a result of the patches users have installed since Sasser was first detected in late April.