Sasser worm spreading quickly
(CNN) -- Computer security experts are dealing with at least four variants of a worm that is spreading quickly through Windows operating systems.
Known as SasserA, SasserB, SasserC and SasserD, the worm is targeting Windows 2000 and Windows XP. Other Windows systems, including Windows 95, 98 and ME, could be indirectly affected.
"It's pretty aggressive, and it's replicating very quickly," said Steven Sundermeier, a security expert at Central Command, a computer security company based in Medina, Ohio.
In a new, cunning twist by virus writers, an e-mail in wide circulation that purportedly offers a "fix" for the Sasser worm actually infects the user's computer with a different virulent worm, known as Netsky-AC.
"It really preys on paranoia about the Sasser worm," said Graham Cluley, senior technology consultant for the computer security firm Sophos.
"The very worst thing you can do is fall for this trick by clicking on the attached file," he said.
Cluley said there may be a connection between the creators of Sasser and Netsky. He says hidden in the code of Netsky-AC is a sarcastic message directed toward antivirus companies, claiming responsibility for both.
The Sophos spokesman said the Taiwanese Post Office, the train system in Sydney, Australia, and several banks in Scandinavia have been infected by the Sasser worm.
While a computer virus requires some sort of human intervention to be launched, such as opening an e-mail, a worm takes off on its own. Sasser spreads through a Windows vulnerability known as LSASS, or Local Security Authority Subsystem Service.
Sasser scans random internet protocol addresses until it finds a vulnerable system. Then it copies itself into the Windows directory as an executable file, and is launched the next time the computer is booted.
Microsoft issued a patch, or fix, for this vulnerability April 13. But in large corporate computer systems, these patches can have an impact on other internal systems. That means there's often much more to do than simply install the patch to both stop the worm and make sure other computer systems are not compromised.
Users could be affected without knowing it. One symptom is that the computer may restart every time the user tries to go online. As Sasser moves from machine to machine, it is also possible to remotely take over control of a user's computer.
The FBI said Monday its agents are leading a task force trying to track down the origins of the worm.
The bureau provided no details, saying only that its field office in Seattle had worked throughout the weekend and Monday with Microsoft representatives and agents of the Secret Service, the Internal Revenue Service, the Washington State Police, and the Seattle Police.
Sasser has been spreading globally since it was detected Friday.
While many businesses are being affected, Sasser has also hit home users, especially those with broadband connections.
Cluley says a personal firewall should be installed by home broadband users. There are many available and some can be downloaded free from the Internet.
He also suggests automating both patches from the Windows Web site and updates from antivirus companies. With hundreds of new worms and viruses created each month, these automated programs for PCs can be effective, Cluley said.
Sundermeier said a recent trend by virus writers has been to release threats late on Fridays or on weekends, when computer network security teams are not fully staffed. He said the Netsky and Bagle worms also were launched on weekends.
Both Sundermeier and technical experts at Panda Software, based in Bilbao, Spain, said it is labor intensive for technical teams to cleanse computers of the Sasser worm.
Unlike some types of security updates and service packs issued by Microsoft that can be applied to an entire network, many companies must correct this problem unit by unit. There is some nervousness about installing systemwide patches, for fear that they might impair something else on the network.
Sometimes the patches themselves are ineffective. In the past Microsoft has issued patches to fix patches, Cluley said.