usmc4669
05-04-04, 02:58 PM
Have you been hit with this worm yet?
Some may be infected as soon as they log on to Net.
By Bob Sullivan
Technology correspondent
MSNBC
Updated: 1:03 p.m. ET May 04, 2004
The “Sasser” worm continued to wreak computer havoc Tuesday, and there were some indications that it has actually picked up steam. Experts are concerned that many home consumers are becoming infected almost as quickly as they they log on to the Internet..
Network Associates Inc., which on Monday was downplaying the spread of the worm, now says the rate of infections is still increasing. More than 65,000 of their customers have been hit with the worm, a spokeswoman said. Also, at least 10 of the Fortune 500 U.S. companies have been hit with the worm..
Investment firm Goldman Sachs said some of its systems in Hong Kong were disrupted by the worm. Finnish bank Sampo temporarily closed all of its branch offices, some 130 in all, on Monday as a precaution against Sasser. In Australia, Westpac Bank said it was hit by the worm, and branches had to use pen and paper to allow them to keep trading, The Australian newspaper reported. And the BBC reported that the European Commission and the UK Coast Guard had been hit..
Sasser is unlike most worms consumers are familiar with -- it's easy to become infected, simply by connecting the Internet. No e-mail attachment must be opened; in fact, no user interaction is required at all. And making matters worse, traditional consumer desktop antivirus software won't prevent infection, even if it's updated..
"This one is a real pain in the butt," said Patrick Hinojosa, chief technology officer at antivirus firm Panda Software..
There are actually four versions of the worm making their way around the Internet now, most released during the weekend. Only installation of a Microsoft software patch, or a well-designed firewall, can prevent infection. That's why more home users than corporate users were infected by this worm, said Vincent Gullotto, antivirus expert at Network Associations Inc. -- they are less likely to keep up with software patches or firewalls..
"It's safe to say at this point this hit harder on end users," he said..
It's still unclear how many computers have been infected. The techniques for estimating e-mail viruses don't work for guessing the impact of Sasser, and estimates ranged from 100,000 computers to several million PCs worldwide. Some antivirus firms rated it a medium risk; others a high risk..
Depending on a number of factors, infections can occur quickly -- in some cases, only a minute or two after a user has connected to the Internet. Users who haven't updated their systems might not have time to download the Microsoft patch before they become infected, said Alfred Huger, virus expert at Symantec Corp..
And that's one reason the worm continues to spread so quickly, experts said..
HOW-TO Protect yourself against 'Sasser' worm.
Concerned your computer is infected? Try these steps:
• Block
• Check
• Protect.
Enable a firewall to prevent infection or reinfection. The firewall will block Sasser from reaching your computer. It's best to do this before connecting to the Internet. To turn on the WindowsXP firewall, follow the instructions on Microsoft's Web site at http://www.microsoft.com/security/protect/windowsxp/firewall.asp. Enabling the firewall may prevent other software, such as Internet-based gaming, from working correctly. If so, refer to Microsoft's additional instructions..
Download a free "cleaner" program from an antivirus vendor. The program should remove the virus and repair any damage it might have caused. You can also download the program on a friend's computer to a floppy disk, then run it on your computer before connecting to the Internet. Such free programs can be downloaded from McAfee (link: http://vil.nai.com/vil/stinger/), Symantec (link.
http://securityresponse.symantec.com/avcenter/venc/data/
w32.sasser.removal.tool.html), or several other vendors..
Your computer can still become reinfected unless the appropriate patch is installed. Get the right patch for your PC at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Microsoft recommends a free scan of your PC for any other unpatched vulnerabilities, which is available here: http://specials.msn.com/msn/security.asp?GT1=3391.
• Print this.
XP and Windows 2000 vulnerable
Only computers running Microsoft's Windows XP and Windows 2000 can be infected; the worm exploits a vulnerability in those systems that was revealed last month. As part of a new class of computer viruses called "network worms," the malicious program is similar to last year's Slammer and Blaster worms. Microsoft said Blaster cost it “millions of dollars of damages,” and has issued a $250,000 bounty for information on the whereabouts of its author. (MSNBC is a Microsoft - NBC joint venture.).
Blaster and Slammer also hung around the Internet for months, infecting and reinfecting unpatched machines for months, even after the initial outbreak died down. Sasser may continue to cause such "background noise" for a while, experts said. But while Sasser spread quickly, the initial outbreak failed to reach the level of either of the worms that hit last summer, said Pete Allor, director of Internet Security System's X-Force Threat Intelligence division..
The safest way for home users to protect themselves is to enable their firewalls before they connect to the Internet -- or if they are already connected, to disconnect immediately, and enable the firewall..
Because the worm generates plenty of stray Internet traffic, and in some cases causes machine to shut down, it's hard to quantify the impact of the worm currently, Huger said..
What consumers can do
Spread of the worm can be contained by firewalls that block certain kinds of traffic headed for computers. Corporations that do so will be protected, Huger said, and some Internet service providers will be able to protect consumers by shutting down traffic. But other simply can't afford to do so, Huger said..
The safest way for home users to protect themselves is to enable their firewalls before they connect to the Internet -- or if they are already connected, to disconnect immediately, and enable the firewall. Both vulnerable Microsoft operating systems, Windows XP and Windows 2000, come with software that can block the worm's traffic, but they are not turned on by default. WindowsXP ships with a firewall, while Windows 2000 includes similar tools. Once traffic to port 445 is blocked -- that's the worm's route into the computer -- users can reconnect to the Net and download the patch. As there are variations in the way the firewalls work, Huger recommended users consult their manuals to enable the firewall..
Users who are infected likely won't realize it, Gullotto said. Their machines might slow down some, or they might notice extra traffic on their modems, but generally the virus doesn't announce itself -- except on those occasions when it forces a machine to shut down. If that happens, users will see a dialog box indicating the program LSASS.EXE has been terminated..
Since the virus doesn't do anything else malicious to infected machines -- it doesn't delete files, for example -- users can take the risk of heading straight for the Microsoft patch when they log on, Gullotto said. They may become infected while downloading the patch, and during that time, they will become a "host" and spread the virus. But installation of the patch, followed by a scan with an updated antivirus product, will serve to clean an infected system. Still, enabling the firewall before attempting to get the patch is a much better plan, he said..
Sasser is among the first viruses that can infect consumers so quickly and easily, and without as much as interaction with a malicious e-mail, Huger said..
"These things are getting worse," he said..
[b]Reuters contributed to this story
Some may be infected as soon as they log on to Net.
By Bob Sullivan
Technology correspondent
MSNBC
Updated: 1:03 p.m. ET May 04, 2004
The “Sasser” worm continued to wreak computer havoc Tuesday, and there were some indications that it has actually picked up steam. Experts are concerned that many home consumers are becoming infected almost as quickly as they they log on to the Internet..
Network Associates Inc., which on Monday was downplaying the spread of the worm, now says the rate of infections is still increasing. More than 65,000 of their customers have been hit with the worm, a spokeswoman said. Also, at least 10 of the Fortune 500 U.S. companies have been hit with the worm..
Investment firm Goldman Sachs said some of its systems in Hong Kong were disrupted by the worm. Finnish bank Sampo temporarily closed all of its branch offices, some 130 in all, on Monday as a precaution against Sasser. In Australia, Westpac Bank said it was hit by the worm, and branches had to use pen and paper to allow them to keep trading, The Australian newspaper reported. And the BBC reported that the European Commission and the UK Coast Guard had been hit..
Sasser is unlike most worms consumers are familiar with -- it's easy to become infected, simply by connecting the Internet. No e-mail attachment must be opened; in fact, no user interaction is required at all. And making matters worse, traditional consumer desktop antivirus software won't prevent infection, even if it's updated..
"This one is a real pain in the butt," said Patrick Hinojosa, chief technology officer at antivirus firm Panda Software..
There are actually four versions of the worm making their way around the Internet now, most released during the weekend. Only installation of a Microsoft software patch, or a well-designed firewall, can prevent infection. That's why more home users than corporate users were infected by this worm, said Vincent Gullotto, antivirus expert at Network Associations Inc. -- they are less likely to keep up with software patches or firewalls..
"It's safe to say at this point this hit harder on end users," he said..
It's still unclear how many computers have been infected. The techniques for estimating e-mail viruses don't work for guessing the impact of Sasser, and estimates ranged from 100,000 computers to several million PCs worldwide. Some antivirus firms rated it a medium risk; others a high risk..
Depending on a number of factors, infections can occur quickly -- in some cases, only a minute or two after a user has connected to the Internet. Users who haven't updated their systems might not have time to download the Microsoft patch before they become infected, said Alfred Huger, virus expert at Symantec Corp..
And that's one reason the worm continues to spread so quickly, experts said..
HOW-TO Protect yourself against 'Sasser' worm.
Concerned your computer is infected? Try these steps:
• Block
• Check
• Protect.
Enable a firewall to prevent infection or reinfection. The firewall will block Sasser from reaching your computer. It's best to do this before connecting to the Internet. To turn on the WindowsXP firewall, follow the instructions on Microsoft's Web site at http://www.microsoft.com/security/protect/windowsxp/firewall.asp. Enabling the firewall may prevent other software, such as Internet-based gaming, from working correctly. If so, refer to Microsoft's additional instructions..
Download a free "cleaner" program from an antivirus vendor. The program should remove the virus and repair any damage it might have caused. You can also download the program on a friend's computer to a floppy disk, then run it on your computer before connecting to the Internet. Such free programs can be downloaded from McAfee (link: http://vil.nai.com/vil/stinger/), Symantec (link.
http://securityresponse.symantec.com/avcenter/venc/data/
w32.sasser.removal.tool.html), or several other vendors..
Your computer can still become reinfected unless the appropriate patch is installed. Get the right patch for your PC at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Microsoft recommends a free scan of your PC for any other unpatched vulnerabilities, which is available here: http://specials.msn.com/msn/security.asp?GT1=3391.
• Print this.
XP and Windows 2000 vulnerable
Only computers running Microsoft's Windows XP and Windows 2000 can be infected; the worm exploits a vulnerability in those systems that was revealed last month. As part of a new class of computer viruses called "network worms," the malicious program is similar to last year's Slammer and Blaster worms. Microsoft said Blaster cost it “millions of dollars of damages,” and has issued a $250,000 bounty for information on the whereabouts of its author. (MSNBC is a Microsoft - NBC joint venture.).
Blaster and Slammer also hung around the Internet for months, infecting and reinfecting unpatched machines for months, even after the initial outbreak died down. Sasser may continue to cause such "background noise" for a while, experts said. But while Sasser spread quickly, the initial outbreak failed to reach the level of either of the worms that hit last summer, said Pete Allor, director of Internet Security System's X-Force Threat Intelligence division..
The safest way for home users to protect themselves is to enable their firewalls before they connect to the Internet -- or if they are already connected, to disconnect immediately, and enable the firewall..
Because the worm generates plenty of stray Internet traffic, and in some cases causes machine to shut down, it's hard to quantify the impact of the worm currently, Huger said..
What consumers can do
Spread of the worm can be contained by firewalls that block certain kinds of traffic headed for computers. Corporations that do so will be protected, Huger said, and some Internet service providers will be able to protect consumers by shutting down traffic. But other simply can't afford to do so, Huger said..
The safest way for home users to protect themselves is to enable their firewalls before they connect to the Internet -- or if they are already connected, to disconnect immediately, and enable the firewall. Both vulnerable Microsoft operating systems, Windows XP and Windows 2000, come with software that can block the worm's traffic, but they are not turned on by default. WindowsXP ships with a firewall, while Windows 2000 includes similar tools. Once traffic to port 445 is blocked -- that's the worm's route into the computer -- users can reconnect to the Net and download the patch. As there are variations in the way the firewalls work, Huger recommended users consult their manuals to enable the firewall..
Users who are infected likely won't realize it, Gullotto said. Their machines might slow down some, or they might notice extra traffic on their modems, but generally the virus doesn't announce itself -- except on those occasions when it forces a machine to shut down. If that happens, users will see a dialog box indicating the program LSASS.EXE has been terminated..
Since the virus doesn't do anything else malicious to infected machines -- it doesn't delete files, for example -- users can take the risk of heading straight for the Microsoft patch when they log on, Gullotto said. They may become infected while downloading the patch, and during that time, they will become a "host" and spread the virus. But installation of the patch, followed by a scan with an updated antivirus product, will serve to clean an infected system. Still, enabling the firewall before attempting to get the patch is a much better plan, he said..
Sasser is among the first viruses that can infect consumers so quickly and easily, and without as much as interaction with a malicious e-mail, Huger said..
"These things are getting worse," he said..
[b]Reuters contributed to this story