Despite arrest, new variant of Sasser worm appears

IDG News Service - Despite the arrest Friday of the suspected author of the Sasser worm that affected millions of computers worldwide last week (see story), a new variant of the worm appeared yesterday, according to computer security organizations.
This development shows that there is an "organized group of delinquents" engaged in creating and distributing these worms, security specialist Panda Software SL's PandaLabs unit said in a statement.
The Sasser.E worm exploits the same Microsoft Corp. Windows LSASS vulnerability targeted by its predecessors and has already infected millions of computers, according to PandaLabs. The situation is likely to get worse when company staffs return to work after the weekend.
Sasser.E searches the Internet for vulnerable computers and then copies itself to the Windows directory, leading to a systems error that forces the infected computer to reboot every 60 seconds.
Security company McAfee Inc. rated the worm as a low risk but noted that it attempts to confuse people trying to remove it by adopting the file name lsasss.exe, which is very similar to a genuine file name present on most systems.
The same patch that protected against earlier versions of Sasser are also effective against Sasser.E, security experts said.
The Sasser.E worm also tries to remove any instances of the Bagle worm from users' computers, suggesting that there is some rivalry between the virus-writing gangs, according to PandaLabs.
"This seems to indicate that there is a kind of cyberwar being waged among the creators of the Bagle, Mydoom, Netsky and Sasser worms, and it will continue to cause many more variants of the virus," PandaLabs said.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.