Tuesday, May 11, 2004

Hey everyone,

Didn't take long - New Sasser copycat virus debuts:

- Sasser creator copycats:
a new worm has been discovered, Cycle.A -
Virus Alerts, by Panda Software (http://www.pandasoftware.com)

Madrid, May 10 2004 - The arrest of the alleged creator of the Sasser worms
has not been accompanied by a lull in the momentum of computer viruses.
PandaLabs has detected the appearance of a new worm, Cycle.A
(W32/Cycle.A.worm) which -like Sasser and its variants- exploits the LSASS
vulnerability affecting some Windows versions in order to infect computers
through the Internet.

The scenario has changed, however, as indicated by the text found inside the
virus code. In this text, the virus creator -alias Cyclone- claims to be
Iranian and refers to the social and political situation in his country. The
entire content of this message can be read in Panda Software's Virus
Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/.

Cycle.A tries to enter computers through communications port TCP45 in order
to check if the system is vulnerable. If it is, the worm causes the affected
computer to download a copy of itself called CYCLONE.EXE. However, this will
only take place if the application TFTP.EXE is installed on the system.

Additionally, and regardless of whether the worm has managed to copy itself
to the targeted computer, the attempt by the virus to enter the system
causes a failure in the application LSASS.EXE which makes the computer
restart every 60 seconds.

According to Luis Corrons, head of PandaLabs, "It was to be expected that
sooner or later some other unscrupulous individual created a new virus that
exploited the LSASS vulnerability. The real problem lies in the fact that
the necessary code to exploit this security hole is in possession of many
people who can incorporate it into their creations. Therefore, it is very
likely that new variants of Sasser and Cycle, as well as other malicious
codes that can act like them, will appear in the future."

Meanwhile, the members of the Sasser worm family -which was joined yesterday
by Sasser.E- continue to cause incidents on computers worldwide. In fact,
Sasser.B continues to be one of the viruses most frequently detected by
Panda ActiveScan, Panda Software's free online scanner.

In order to prevent your computer from falling victim to Cycle.A, Sasser and
its variants, or any other worm that exploits the LSASS vulnerability, it is
necessary to install the Microsoft patch available from
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Panda
Software also advises users to tighten security measures, ensure that they
have a fully updated antivirus installed and keep themselves informed of any
new viruses that could appear. Panda Software has made the updates necessary
to its products available to clients.

More information about these and other IT threats is available in Panda
Software's Virus Encyclopedia, at
http://www.pandasoftware.com/virus_info/encyclopedia/

Panda Software's online support center
(http://www.pandasoftware.com/support/) also offers help to users.

In addition, the users can scan their computers on line for free with the
ActiveScan solution, available in the company web page
http://www.pandasoftware.com.


Ciao...