Sasser virus

We were struck, hard, by the Sasser virus today. Its creator should be slowly roasted over a pile of burning WinXP manuals (if they even exist in a paper form). Patient care was compromised and thousands of hours of lost productivity resulted.

How does the virus find vulnerable computers? How does it get into your computer. This article says that users may acquire it without any action on their part. Can you clarify in simple terms, say at the grade 6 level :smiley:

Essentially, there is a security issue with Windows XP so that if data is sent in a particular form, commands can be sent to the the computer. Sasser sends out dozens of commands, trying to find unpatched computers by trial and error. If it finds one that hasn’t been protected, it uses the security hole to set itself up.

The security hole is known as a “buffer overflow,” which means if you send too much data, the extra data “overflows” into another memory location and is mistaken for a command.

Source: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125007

OK, so it’s a 7th grade explanation.

More like graduate school!

But, thank you both. I am beginning to form a (very vague) image of what might be happening.

This is an example of why you should make sure you have all the most recent updates and virus protection. You can get email notification automatically or a critical update notification automatically from Microsoft. The patch for sasser was available but unfortunately most people hadn’t downloaded it. I got caught once in 6 years and from that point on I was dligent about critical updates and making sure I had an updated virus program. Life was easier when all we had to do was make sure we didn’t open any mail attachments!

The irony is that I, a veritable computer imbecile, had not only downloaded the patch for my home computer, but had double-checked that I had it upon learning of the incipient Sasser outbreak. But did my "corporation? With its team of IS specialists? No!

In their defense, it’s a lot harder to take down hundreds of computers for a patch (even if there weren’t other employees using them all the time) than it is for you to run the patch once on your computer. Corporate networks tend to go unpatched for quite a while because of this, unfortunately, although I wish somebody would introduce some of these people to the concept of “an ounce of prevention is worth a pound of cure.”

Some IT guys are a bit behind the times, but usually it’s a combination of not being able to schedule downtime for a system, and having to test the patch first. (Many an administrator has been burned by MS, installing some “critical patch” that causes the companies’ main application to cease all functionality)

OTOH, I did was funny when the MS representative here infected our network with his laptop. :wink:

Early testing at my organization uncovered that a certain percentage of machines would refuse to allow users to login after the Sasser patch was applied, thus it was decreed that the patch would only be applied after it was verified that the machine was infected. Additionally, we can’t use Windows Update because the bandwidth usage is prohibitive. Imagine 1000 computers trying to download a 20MB patch at the same time over the equivalent of a home cable modem while we also attempt to conduct critical operations. It wouldn’t really work out that well.

I’d be extremely sceptical of any email from Microsoft telling you of such an update. More likely it will be a fake, pointing to a website that looks exactly like MS’s but actually installs something else entirely i.e: spam engine, key logger program.

As a general rule you should never install any software from a email link unless you are absolutely certain of the source.

Better to set Windows update to automatically notify you.
NB: Don’t set it to download and install without your permission though.

Also, you cannot assume that if your PC is fully patched and Antivirus protected, then you are safe. You also need a firewall, which may be implemented in your broadband router already, or if not, use one of the several free alternatives out there such as Sygate or Zonealarm.
~GSV. IT Helpdesk Staffer. MCSE.

Microsoft doesn’t send out e-mail updates, but Windows XP computers are set up to allow for automatic updates.

With us, the issue was not the college’s computers, it was (of course) the students. Faculty and staff have been taught to keep their computers on overnight at least one night a week and we push out updates. However, we can’t manage student computers the same way.

So we send out warnings. We did three of these prior to Sasser hitting: one on Friday afternoon as a script detected unpatched computers; one of Friday night as I noticed a couple of viruses were beginning to exploit the security hole; and one on Sunday night after I heard about Sasser.

No one listened. :mad:

We found 500 unpatched computers Friday afternoon, and 400 unpatched student computer on Monday morning. Sounds like an improvement, only the Monday morning number was at 8:00 a.m., so the difference could easily have been the fact that fewer computers are on.

When I installed my XP and put in the options, as I remember it, there was a default setting to automatically search for updates at 2:00 AM daily.

There are times when the obtuseness of corporate operations make me doubt the mantra of 'free enterprise always does it better."

I spent some time this week patching my servers. The download went quite quickly, but the install took FOREVER. It was eventually successful, so I can’t complain too much… besides, it wouldn’t do any good.

I read the information from McAfee correctly, the worm exploits port 445. Go to the Gibson Research website and run their Shields Up utility. It will tell you if port 445 is open and vulnerable.

This is exactly why you need a firewall to go with your anti-virus software. Like everyone else has been saying, you need to keep up with the OS updates as well.

This just leaves one question. How is this getting past the firewall at the bigger companies and schools?

Because it is always someone else’s responsibility. One person is a proprietor, two people make up a bureaucracy and if you toss a ball to a bureacracy it is certain to be dropped.

Microsoft do make a patch available for network installation, simply to reduce the load their servers have to handle.

Because you were only risking one computer. If you are one of the unlucky ones, the patch could screw up the computer Microsoft Security Bulletin

How would you like to be the IS guy who screwed up a whole bunch of your company’s computers by applying the patch without taking the time to test it first?

It takes time to properly test and apply the patch.

Fair enough. You and others in thread have made it clear that I should apologize for my comment which wasn’t fair. I do apologize and regret being so presumptious.

Does it actually take two weeks, though, to test the patch?

I could have sworn I did the same thing - especially since many times in the past, I’ve woken up to “you need to install this update now” messages…

but somehow, it missed this one.

What I especially love about the Microsoft “solution” is that it requires downloading the patch before you can use the fix. Downloading the patch on dialup takes so long that the worm has shut down the computer before you’re even close the install being finished.

I hate this worm. I think it might be fixed, now, but I’m not sure. And I hate this worm.

I am subscribed to the MS email service which notifys me of updates and virus issues. also, they have a page that tells you how to authenicate an email as being from MS. I know you have to be very careful. Can’t trust any email these days uless you know the sender.

http://www.microsoft.com/security/antivirus/authenticate_mail.asp

http://www.microsoft.com/security/security_bulletins/alerts2.asp
This service is for individuals and small businesses.