Almost 1.5 million Windows customers downloaded a clean-up tool for the Sasser Internet worm in the first two days after Microsoft began offering the tool, according to Microsoft.
The number of downloads is an indication of the number of Windows computers infected with Sasser and it is bigger than most estimates from computer security companies. Still, the total number of infected Windows systems could be even higher, especially when infections on computer networks were taken into account, a Microsoft spokesperson said.
Sasser appeared on Friday and exploits a recently disclosed hole in a component of Windows called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13 that plugs the LSASS hole.
Sasser had spawned at least four variants, labeled A, B, C and D, as of Tuesday. The worm is similar to an earlier worm, Blaster, because users do not need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the Internet via communications port number 445 is enough to catch Sasser.
After appearing, the worm spread quickly around the world. Early estimates by the SANS Institute's Internet Storm Center (ISC) put the total number of infected systems in the "hundreds of thousands," based on reports to ISC, said Johannes Ullrich, chief technology officer at the ISC, which monitors malicious activity on the Internet.
Different figures for the number of infections emerged in the days that followed, most of them extrapolated from snapshots of the Internet. Those included statistics gathered by managed security services companies from intrusion detection sensors running on customer networks, as well as tallies of the unique Internet addresses that exhibit worm-like behavior, such as scanning for vulnerable host systems on a particular communications port.
Published reports cited executives from Akamai Technologies, which runs its own global network of servers,claiming 500,000 to 700,000 Windows machines were infected.
Antivirus company, Symantec, said it knew of 10,000 infections but put the likely total in the hundreds of thousands.
The question of how many computers actually catch worms and viruses is hotly contested as security companies try to gauge the impact of malicious code outbreaks on the Internet.
The Microsoft numbers corresponded to recent scans of the Internet by the ISC, Ullrich said. ISC identified about 500,000 unique Internet Protocol addresses scanning port 445, the port used by Sasser, on Saturday, and 700,000 scans on Sunday, he said.
Those numbers are similar to ones collected during the Blaster worm attack, but Blaster scanned for vulnerable computers more voraciously, causing bigger disruptions in Internet and network traffic, he said.
As it did with the Blaster worm, Microsoft began offering the Sasser removal tool from its website shortly after the worm appeared. The tool, which can be downloaded or run from a Web browser, scans computers for telltale signs of Sasser and then allows the user to remove the worm.
In addition to the Sasser tool, Microsoft customers have rushed to download the software patch that prevents Windows systems from being infected with Sasser.