Trend Micro warns of continued spread of "SASSER" worm family

WORM_SASSER exploits the Windows "Local Security Authority Subsystem Service" (LSASS) vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. To propagate, "SASSER" variants scan random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overrun on LSASS.EXE, which causes the program to crash, and essentially the infected system to crash, and requires Windows to reboot.
By using IP addresses, WORM_SASSER scans the global Internet for vulnerable systems and can search for vulnerable systems within entire network segments.  Infections grow exponentially - each infected system can potentially be used to search for other vulnerable systems. 

"More infections can lead to increased network traffic and result in severe network slowdowns, like an internal denial-of-service," said Joe Hartmann, senior virus researcher and analyst for Trend Micro, Inc.    

The LSASS vulnerability was first reported on April 13, 2004, and was first utilized by a variant of the AGOBOT worm (WORM_AGOBOT.JF), detected a mere 16 days later. Compared to the "Blaster" worm (August 2003) that took 26 days between vulnerability and outbreak, there is an ever-shortening time gap from vulnerability to exploitation. The "Blaster" worm also found victims through random IP addresses and exploited a known vulnerability.  WORM_ABGOBOT.JF propagated through networks by spreading through select SMB shares, which may explain why it did not spread extensively.
 
WORM_SASSER variants arrive as a 16KB attachment, and affect Windows 95, 98, ME, NT, 2000 and XP platforms. 

Trend Micro customers are protected through the latest pattern file, number 883. Customers of Outbreak Prevention Services should download OPP 112 to help protect against spread of this threat.  For customers of Damage Cleanup Services, Damage Cleanup template # 334 should be downloaded to help with automated restoration of affected systems. Users of Trend Micro Network VirusWall(tm) 1200 can detect this worm through pattern #10124 (or later). The associated vulnerabilities were also described in Vulnerability Assessment pattern # 010. 

Customers are recommended to apply the necessary vulnerability patches available from Microsoft to address the LSASS vulnerability.

For more information, please visit www.trendmicro.com.

# # #

About Trend Micro.
Trend Micro is a leader in network antivirus and Internet content security software and services. The Tokyo-based corporation has its European headquarters in Marlow, England, and business units worldwide. Trend Micro products are sold through corporate, value-added resellers and managed service providers. For additional information and evaluation copies of all Trend Micro products, visit: www.trendmicro-europe.com.

# # #

Trend Micro, the t-ball logo, and VirusWall are trademarks or registered trademarks of Trend Micro Incorporated. All other company or product names may be trademarks or registered trademarks of their owners. Information is accurate time it was written and is subject to change without notice.

For more information please contact:

Trend Micro Europe, Middle East, Africa
Anna Wright
Tel: +44 (0) 1628 400534
Email: anna_wright@trendmicro.co.uk

Lammers van Toorenburg Benelux PR
Anja Breunis / Annegees van Linge
Tel: +31 (0)30 6565 070
E-mail: anja@lvtpr.nl / annegees@lvtpr.nl