Sasser worm rips through Internet
Home users on alert
From Marsha Walton
(CNN) -- The fast-spreading computer worm Sasser has wreaked more havoc on computer users worldwide, affecting several businesses, banks and government offices, including Britain's Coastguard.
Users of the Windows operating systems reported sluggish machines and computers that quit or rebooted for no reason.
Anti-virus companies estimate more than 1 million PCs have been infected.
First identified over the weekend, there are now at least four variants of the malicious worm. Just as a virus that affects humans can mutate and confound medical experts, each version of Sasser -- labeled A, B, C, and D -- poses slightly different challenges for information technology experts.
"Sasser is a successful and widely propagating worm with a somewhat benign impact to the end user," said Chris Rouland of Internet Security Systems. "But people should absolutely remove it."
In Europe, the computer security company Sophos reported the worm hit all 19 of Britain's Coastguard control centers. The computers shut down and officers had to work with old-fashioned pen and paper.
"Radio and other forms of communication from ships at sea remain unaffected," Peter Dymond, head of Search and Rescue, said in a statement on the Coastguard's Web site.
"We remain confident that by telephone and other forms of communication we can ensure that no rescue or incident will be affected," Dymond said.
Corporations, government offices, banks and transit systems felt the impact in North America, Europe, Asia and Australia.
According to the Microsoft Web site, the operating systems affected include Windows XP, Windows XP Service Pack 1, Windows 2000 SP2, Windows 2000 SP3 and Windows 2000 SP4.
Sasser does not have a malicious payload, meaning it does not destroy or alter information within a computer. Its main irritant is that it causes significant performance degradation by dramatically slowing even the simplest of computer chores.
That's due in part to how a worm operates.
While a computer virus requires some sort of human intervention to be launched, such as opening an e-mail, a worm takes off on its own. Sasser spreads through a Windows vulnerability known as LSASS, or Local Security Authority Subsystem Service. (Hence the name Sasser.)
Sasser scans random Internet protocol addresses until it finds a vulnerable system. Then it copies itself into the Windows directory as an executable file, and is launched the next time the computer is booted. All that searching for a new "victim" slows things down across the Internet.
Many Windows users complained of their machines continually crashing and being forced to reboot. That, computer experts agree, is because the code for this worm is written very poorly.
Microsoft issued a patch, or fix, for this vulnerability last week. But in large corporate computer systems, these patches can have an impact on other internal systems. That means there's often much more to do than simply install the patch to both stop the worm and make sure other computer systems are not compromised.
In a cunning twist by the virus writers, an e-mail in wide circulation that purportedly offers a "fix" for the Sasser worm actually infects the user's computer with a different virulent worm, known as Netsky-AC.
"It really preys on paranoia about the Sasser worm," said Graham Cluley, senior technology consultant for Sophos.
"The very worst thing you can do is fall for this trick by clicking on the attached file," he said.
Cluley said there may be a connection between the creators of Sasser and Netsky. He says hidden in the code of Netsky-AC is a sarcastic message directed toward anti-virus companies, claiming responsibility for both.
As Sasser moves from machine to machine, it is also possible to create a "back door," leaving open the possibility of later remotely take over control of a user's computer.
The FBI said Monday its agents are leading a task force trying to track down the origins of the worm. The bureau provided no details, saying only that its field office in Seattle had worked throughout the weekend and Monday with Microsoft representatives and agents of the Secret Service, the Internal Revenue Service, the Washington State Police, and the Seattle Police.
While many businesses are being affected, Sasser has also hit home users, especially those with broadband connections.
Cluley says a personal firewall should be installed by home broadband users. There are many available, and some can be downloaded free from the Internet.
He also suggests automating both patches from the Windows Web site and updates from anti-virus companies. With hundreds of new worms and viruses created each month, these automated programs for PCs can be effective, Cluley said.
Unlike some types of security updates and service packs issued by Microsoft that can be applied to an entire network, many companies must correct this problem unit by unit. There is some nervousness about installing system-wide patches, for fear that they might impair something else on the network.
Sometimes the patches themselves are ineffective. In the past, Microsoft has issued patches to fix patches, Cluley said.