At least two new versions of malicious computer worm Sasser are circulating on the Internet, according to computer security experts and anti-virus companies.
New variations of the worm, named Sasser.B and Sasser.C were identified by anti-virus companies just days after the first version appeared. Despite the new versions, anti-virus experts said that Sasser outbreak has likely peaked, and expected the rate of new infections to slow.
Sasser exploits a recently disclosed hole in a component of Windows called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on 13 April.
Sasser is similar to an earlier worm, Blaster, in that users do not need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the Internet with communications port number 445 is enough to catch Sasser.
After appearing Friday, the worm spread quickly around the world, and may have infected a few hundred thousand machines, said Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center, which monitors malicious activity on the Internet.
Given the large number of vulnerable computers that have been infected by Sasser, a Windows machine connected to the Internet could be infected in as little as two minutes, said Graham Cluley, senior technology consultant at antivirus company Sophos PLC.
Early versions of the worm spread slowly, however, especially compared to the rapid proliferation of Blaster, which appeared in August 2003 and peaked just hours after its release, Cluley and Ullrich said.
By comparison, Sasser.A contained features that prevented it from rapidly scanning the Internet for other vulnerable hosts and at first appeared to be a low-level threat. However, new versions of the worm that appeared over the weekend, especially Sasser.C, improved on failures in Sasser.A, allowing infected machines to scan for many more infected hosts, Ullrich said.
Sasser's spread was also slowed because it relied on port 445, which has long been a target of malicious threats, such as Agobot, a prolific Trojan program. As a result, many companies blocked access to port 445 long before Sasser appeared, Joe Stewart, senior security researcher at LURHQ, a managed security services provider in Myrtle Beach, South Carolina.
Many of the infected machines are probably home computers connected to the Internet with broadband connections and already infected with other viruses, including a malicious program called "Phatbot" that has been modified to take advantage of the LSASS vulnerability, also, Ullrich said. However, more Sasser versions appear to be on the way that could use different communications ports to spread, Ullrich said.
On Monday, Sophos identified yet another variant, Sasser.D, Cluley said. The Internet Storm Center set its Internet alert or "Infocon" level to "yellow" over the weekend, indicating a "significant new threat". The alert level was expected to stay at "yellow" Monday, when more infections were likely as workers returned to the office.
However, he expects the alert level to return to green, as users repair infected systems. Like other viruses, including Blaster, Sasser will linger on the Internet for a long time, Cluley said. "We're still finding people who are infected with Blaster. Many people won't even know they're infected with Sasser for months, and those infected machines will continue to try to infect other (machines) in the weeks and months ahead," he said.