posted on May 5, 2004 05:32:54 PM new
I've never had an alert email from my service provider before today and they recomended it so I figured if they said to do it - it was serious.
" Several critical vulnerabilities have been identified in Microsoft's operating system software that could allow an attacker to gain remote access to users' computers. To help protect against such attacks, Microsoft has developed a patch and made it available.
Please Note: Macintosh Computers are not affected by this vulnerability."
and if we have users over here that haven't cleared their cache since 2002/2003...who knows when's the last time they've updated their microsoft patches?
I thought I was on automatic update and I had 6 security patches to download!
posted on May 5, 2004 05:48:30 PM new
Tom...The Sasser worm is non destructive. It only shuts down your machine. It actually gives ya a chance to go grab another beer while it's re-booting. They otta rename it the Intermission worm. I have WIN98, so I get to sit on the sidelines and watch this one.
A $75.00 solid state device will always blow first to protect a 25 cent fuse ~ Murphy's Law
posted on May 5, 2004 11:59:03 PM new
Click "Start" then choose "Help & Support".
In that box you will see a link labeled "Keep Your computer up to date with Windows Update."
____________________
We are not afraid to entrust the American people with unpleasant facts, foreign ideas, alien philosophies, and competitive values. For a nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people. -- John F. Kennedy
Authorities step up hunt for worm's creator By Bob Sullivan
Technology correspondent MSNBC
Updated: 2:12 p.m. ET May 05, 2004
As the Sasser worm outbreak began to subside on Wednesday, federal authorities stepped up their hunt for the malicious program's author.
"We are working with law enforcement to identify and prosecute whoever's responsible," said Stephen Toulouse, a spokesman for Microsoft Corp. The company's Windows XP and Windows 2000 operating systems were targeted by the worm, which infected hundreds of thousands of computers worldwide earlier this week. (MSNBC is a Microsoft - NBC joint venture.)
"We are pursuing a number of good leads," said Greg Fowler, a spokesman for the Northwest Cyber Crime Task Force, made up of agents from the FBI, U.S. Secret Service, and Seattle are enforcement. "It is a high priority for us."
Neither Toulouse nor Fowler would speculate on suspects, or when any arrests might be made. They also declined to discuss the possibility that the worm was written by the same programmer or group that authored the various Netsky viruses which have been infecting computers for months. Computer code within the newest Netsky variant suggests the authors also claim responsibility for Sasser, according to published reports.
Meanwhile, infections from Sasser are rapidly declining, according to antivirus firm Network Associates Inc. The worm seems to have reached its peak Tuesday, and by Wednesday, infections were down 50 percent, the company said. It now estimates a total of 250,000 computers were infected worldwide -- about 80 percent of them home users.
The software patch needed to protect Windows-based computers from the worm is being downloaded at a furious pace -- 200 million times since its release last month, Toulouse said. Still, millions of consumers have yet to download the patch, antivirus firms said -- and without it, their computers likely aren't protected from the worm, and will almost certainly become infected.
"If you haven't patched, it's going to find you. It's just a matter of of time," said Sharon Ruckman, Senior Director of Security Response at Symantec Corp.
Enable a firewall to prevent infection or reinfection. The firewall will block Sasser from reaching your computer. It's best to do this before connecting to the Internet. To turn on the WindowsXP firewall, follow the instructions on Microsoft's Web site at http://www.microsoft.com/security/protect/windowsxp/firewall.asp. Enabling the firewall may prevent other software, such as Internet-based gaming, from working correctly. If so, refer to Microsoft's additional instructions.
Download a free "cleaner" program from an antivirus vendor. The program should remove the virus and repair any damage it might have caused. You can also download the program on a friend's computer to a floppy disk, then run it on your computer before connecting to the Internet. Such free programs can be downloaded from McAfee (link: http://vil.nai.com/vil/stinger/), Symantec (link http://securityresponse.symantec.com/avcenter/venc/data/
w32.sasser.removal.tool.html), or several other vendors.
Your computer can still become reinfected unless the appropriate patch is installed. Get the right patch for your PC at http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.
Some indicators show the virus actually impacting the overall performance of the Internet as well. Keynote Systems Inc., which monitors Internet performance, said there was a noticeable downgrade in performance of Internet routers on Tuesday. It wasn't enough to slow down Web page browsers, said Kirsten Husak, consulting manager with Keynote, but it might interfere with streaming video or voice over IP traffic.
The worm's impact early this week was global. In Australia, Westpac Bank said it was hit by the worm, and branches had to use pen and paper to allow them to keep trading, according to Australian newspaper reports. Australia's Daily Telegraph reported that 300,000 train passengers were stranded for a while on Monday, while technicians dealt with a worm infestation that shut down the railway's radio network. Only about 20 percent of trains were running, and many stations were closed temporarily, the newspaper said.
Investment firm Goldman Sachs said some of its systems in Hong Kong were disrupted by the worm. Finnish bank Sampo temporarily closed all of its branch offices, some 130 in all, on Monday as a precaution against Sasser. Some post offices in Taiwan and Germany were shut down by Sasser. And the BBC reported that the European Commission and the UK Coast Guard had been hit.
Unlike other worms
Sasser is unlike most worms consumers are familiar with -- it's easy to become infected, simply by connecting the Internet. No e-mail attachment must be opened; in fact, no user interaction is required at all. And making matters worse, traditional consumer desktop antivirus software won't prevent infection, even if it's updated.
There are actually four versions of the worm making their way around the Internet now, most released over the weekend. Only installation of the software patch, or a well-designed firewall, can prevent infection. That's why more home users than corporate users were infected by this worm, said Vincent Gullotto, antivirus expert at Network Associates Inc. -- they are less likely to keep up with software patches or firewalls.
Only computers running Microsoft's Windows XP and Windows 2000 can be infected; the worm exploits a vulnerability in those systems that was revealed last month.
As part of a new class of computer viruses called "network worms," the malicious program is similar to last year's Slammer and Blaster worms. Microsoft said Blaster cost it “millions of dollars of damages,” and has issued a $250,000 bounty for information on the whereabouts of its author.
Blaster and Slammer also hung around the Internet for months, infecting and reinfecting unpatched machines for months, even after the initial outbreak died down. Sasser may continue to cause such "background noise" for a while, experts said.
Worm doesn't delete files
The safest way for home users to protect themselves is to enable their firewalls before they connect to the Internet -- or if they are already connected, to disconnect immediately, and enable the firewall. Both vulnerable Microsoft operating systems, Windows XP and Windows 2000, come with software that can block the worm's traffic, but they are not turned on by default. WindowsXP ships with a firewall, while Windows 2000 includes similar tools. Once traffic to port 445 is blocked -- that's the worm's route into the computer -- users can reconnect to the Net and download the patch. As there are variations in the way the firewalls work, Huger recommended users consult their manuals to enable the firewall.
Users who are infected may not won't realize it, Gullotto said. Their machines might slow down some, or they might notice extra traffic on their modems, but generally the virus doesn't announce itself -- except on those occasions when it forces a machine to shut down. If that happens, users will see a dialog box indicating the program LSASS.EXE has been terminated.
The worm gets its name from the vulnerable LSASS program which it's designed to attack.
Since the virus doesn't do anything else malicious to infected machines -- it doesn't delete files, for example -- users can take the risk of heading straight for the Microsoft patch when they log on, Gullotto said. They may become infected while downloading the patch, and during that time, they will become a "host" and spread the virus. But installation of the patch, followed by a scan with an updated antivirus product, will serve to clean an infected system. Still, enabling the firewall before attempting to get the patch is a much better plan, he said.
