Media releases are provided as is by companies and have not been edited or checked for accuracy. Any queries should be directed to the company itself.

THREAT ADVISORY: McAfee AVERT Raises Risk Assessment to Medium on Newly Discovered W32/SASSER.WORM.D

  • 05 May, 2004 08:28

<p>As of midnight Australian Eastern Standard Time, McAfee reported that the original Sasser worm had declined significantly and that they were seeing the highest percentage of infections coming from the Sasser.c variant.</p>
<p> retail numbers are showing that there are 62,000 infected customer machines of Sasser, compared with 10,000 of blaster. This demonstrates that we are seeing an increase of 600% with the Sasser worms. McAfee AVERT believes that total number of infected machines for all the Sasser variants combined to range from 300,000 to up to one million.</p>
<p>McAfee have placed the risk assessment on high for the newly discovered W32/SASSER.WORM.D, please see release below.</p>
<p>For further information or to arrange an interview, please contact:</p>
<p>Natalie Connor</p>
<p>Tel: +61 (0)2 9956 5733</p>
<p>Mobile: +61 (0)417 259 054</p>
<p>McAfee AVERT Receives More than 1000 Customer Reports of the Virus In-the-Wild</p>
<p>SYDNEY, May 5, 2004 – Network Associates, the leading provider of intrusion prevention solutions, today announced that McAfee AVERT (Anti-virus and Vulnerability Emergency Response Team), the world-class research division of Network Associates, has raised the risk assessment to medium for W32/Sasser.worm.d, also known as Sasser.d. Sasser.d is the fourth self-executing variant in the Sasser family to attack the MS04-011 vulnerability announced by Microsoft in April. McAfee AVERT has raised the risk assessment to medium due to its prevalence in the field and its ability to move without the support of email, which has been the primary vehicle of delivery for most of the recent worms prior to the Sasser family. This new worm is a self-executable program that spreads by scanning random IP addresses for exploitable systems. To date, McAfee AVERT has received several reports of the worm being stopped or infecting users on several continents, with most of the reports coming from the United States and Europe.</p>
<p>Sasser.d is a self-executing worm that spreads by exploiting the Microsoft MS04-011 vulnerability The primary purpose of the worm is to spread to as many vulnerable machines as possible by exploiting un-patched Windows systems, giving it the ability to execute without requiring any action on the part of the user. Once activated, the worm copies itself to a folder in the Windows System directory and adds a registry run key to load at system start-up. Sasser.d has many similarities to the previous Sasser variants, yet Sasser.d spreads with a different filename, sends ICMP echo packets as a way to discover its potential victims and creates a remote shell on TCP Port 9995.</p>
<p>After being executed, Sasser.d scans random IP addresses on TCP port 445 for exploitable systems. When one is found, the worm exploits the vulnerable system by creating a script and executing it. This script instructs the target victim to download and execute the worm from the infected host. As the worm scans random IP addresses, it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554 and creates a remote shell on TCP port 9995.</p>
<p>Immediate information and cure for this worm can be found online at the Network Associates McAfee AVERT site located at McAfee AVERT is advising its customers to update to the 4357 DATs to stay protected.</p>
<p>McAfee AVERT Labs is one of the top-ranked anti-virus and vulnerability research organizations in the world, employing researchers in offices on five continents. McAfee AVERT protects customers by developing and providing solutions that are created through the combined efforts of McAfee AVERT researchers and McAfee AVERT AutoImmune technology, which applies advanced heuristics, generic detection and ActiveDAT technology to generate cures for previously undiscovered viruses.</p>
<p>About Network Associates</p>
<p>With headquarters in Santa Clara, California, Network Associates, Inc. (NYSE: NET) creates best-of-breed computer security solutions that prevent intrusions on networks and protect computer systems from the next generation of blended attacks and threats. Offering two families of products, McAfee System Protection Solutions, securing desktops and servers, and McAfee Network Protection Solutions, ensuring the protection and performance of the corporate network, Network Associates offers computer security to large enterprises, governments, small and medium sized businesses, and consumers. For more information, Network Associates can be reached on the
Internet at</p>
<p># # #</p>
<p>NOTE: Network Associates, McAfee and AVERT are either registered trademarks or trademarks of Network Associates, Inc. and/or its affiliates in the United States and/or other countries. All other registered and unregistered trademarks herein are the sole property of their respective owners. Ó2004 Networks Associates Technology, Inc. All Rights Reserved.</p>

Most Popular