New Virus Snarls Thousands of Computers
Because the new worm, dubbed "Sasser," does not require users to click on an e-mail attachment to activate, it spreads more rapidly than most viruses. It was discovered late Friday and spread as employees returned to work and booted their machines.
The worm caused some computers to continually crash and reboot, apparently the result of bad programming by the virus writer rather than intent, security experts said. Sasser does not cause any permanent damage to files or machines, they added.
Among victims were large companies in Germany, Britain and the United States that are clients of Network Associates Inc., said Vincent Gullotto, a vice president at the company's anti-virus research lab. He would not name the companies.
A large television network in Europe also was hit, two security sources said, speaking on condition of anonymity and refusing to elaborate.
Finland's third largest bank, Sampo, closed 120 of its offices for a few hours as a precaution Monday while technicians updated anti-virus programs. E-banking services and the bank's automated teller machines worked normally.
Keynote Systems Inc., which tracks Internet performance, reported no traffic degradation, but security experts say some users could experience slowdowns if machines running Web sites or key Internet gateways are infected.
Though Microsoft Corp. announced three weeks ago the flaw that Sasser exploits, it's a Windows function called Local Security Authority Subsystem Service, many computer owners had yet to apply the software fix the company had released.
Once Sasser infects a computer, it automatically scans the Internet for other computers with the flaw and sends a copy of itself there.
David Perry, director of public education with security vendor Trend Micro, said Sasser continues a trend in which virus writers take advantage of announced flaws more and more rapidly.
In the past, he said, it would take months or even years to widely exploit a vulnerability , not the weeks it took writers of Sasser.
Microsoft recommended that owners of Windows 2000 and XP computers install software patches by visiting http://windowsupdate.microsoft.com. Firewall and anti-virus programs that have the latest updates can also help contain or prevent infection. Sasser does not affect older versions of Windows.
The Web sites of anti-virus vendors have instructions for removing the worm from machines already infected.
Security experts said the Sasser worm was spreading rapidly, but it still was not as widespread as last summer's Blaster outbreak, which infected millions of computers.
They said network operators have gotten more diligent about properly applying the necessary security fixes, and many used the weekend to complete updates before employees arrived.
Some Internet service providers also were able to filter out traffic generated by the worm.
"It looks like many big companies learned the lesson already," said Mikael Albrecht, a product manager with F-Secure Corp. in Finland. "But there are companies, and even large corporations, that did not patch the system, and they have been hit pretty bad."
Stephen Toulouse, a security program manager at Microsoft, said four times as many computer owners downloaded the latest patches as they had for fixes before last fall. He said the company recorded more than 150 million successful downloads before the weekend's outbreak.
Toulouse said the company has been working with the Northwest Cybercrime Task Force to identify the culprit.