Sasser Worm: How to deal with it

 

• Microsoft is actively analyzing and providing guidance on a worm identified as the “W32.Sasser.worm,"which is currently circulating on the Internet. The worm and its variants exploit the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011 on April 13, 2004.

• Microsoft is developing additional tools and information, working closely with anti-virus partners and aiding law enforcement in its investigation in this criminal act. New information will be posted to http://www.microsoft.com/security as it becomes available.

• The worm attacks Windows 2000 and Windows XP. Other versions of Windows, including Windows Server 2003, are not impacted by “Sasser."

• Best protection: Customers can protect against this worm by installing Microsoft Security Bulletin MS04-011 immediately. The MS04-011 security bulletin is available at www.microsoft.com/technet/security/bulletin/ms04-011.mspx

• Firewalls protect: Customers who have enabled the Windows XP Firewall are protected from the vector this worm attacks, which is TCP Port 139. Most third party firewalls also block this attack vector by default.

• How to tell if you’re infected: Customers who are infected with the W32.Sasser.worm may experience difficulty accessing the Internet. Infected customers may also receive an LSASS.exe error pop-up which may cause a reboot.

• How to fix: Infected customers should follow the manual clean-up steps detailed at http://www.microsoft.com/security/incident/sasser.asp

• Customers who are still experiencing infection symptoms may be infected with a different threat and should update their anti-virus signatures. More information on other current threats is available at:

Network Associates: http://vil.nai.com/
Symantec: http://securityresponse.symantec.com
Trend Micro: http://www.trendmicro.com/

Customers who still experience infection symptoms after following the guidance or who need assistance with the manual clean up steps should contact the Microsoft PC Safety Hotline at 1-866-PCSAFTEY. International customers can receive support from their local subsidiaries through http://support.microsoft.com/international

• Microsoft is working with law enforcement to forensically analyze the malicious code and to identify the persons or entities responsible for this criminal attack -- to ensure that they are brought to justice and

prosecuted to the fullest extent of the law.

• As always, Microsoft continues to recommend that all customers visit www.microsoft.com/protect to take the three key steps to protect their PCs. The three key steps are:

1. Use an Internet Firewall on all PCs and Laptops: An Internet firewall can help prevent outsiders from getting to your computer through the Internet. If you use Microsoft Windows® XP, enable the built-in firewall.

2. Update Your Computer: Windows includes the automatic updates feature (Windows Update) which can automatically download the latest Microsoft security updates. Windows 98 SE and Windows ME can be updated from windowsupdate.microsoft.com.

3. Use Up-to-Date Antivirus Software: Installing, configuring and maintaining antivirus protection is absolutely essential.
 
Frequently asked questions about Sasser

What does LSASS stand for?
Local Security Authority Subsystem Service

When was Microsoft made aware of Sasser?
Late Friday April 30th.

How do you know you’re infected?
If your computer is infected with the W32.Sasser.worm, you may see a dialog box with an LSASS.exe error. Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computer. Typical symptoms may include systems rebooting every few minutes without user input.

Windows Server 2003 systems are not at risk from this Worm.

What does the worm do to the users system?
Our investigation is still ongoing; however the worm appears to infect a vulnerable system then immediately seeks to infect other systems. We are continuing our investigation to determine any further actions the worm may seek to take.

Is there a fix available?
Yes, install MS04-011.

Are there workarounds?
Yes, there are workarounds available including implementing firewall best practices, standard default firewall configurations and PYPC guidelines. Additional information on workarounds can be located at the following URL:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Are there side effects of the workaround?
Side effects of the workaround can be found at the following URL:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx