An Internet technical support network based here has detected a new variant of the Sasser worm, saying it found the new Sasser.E just two days after Sasser's teenage creator was arrested in Germany.
"This fact confirms our fears that he is not the only person programming the Sasser and Netsky worms, but rather it is an organized group of delinquents," said PandaLabs chief Luis Corrons, announcing the discovery of the new Sasser variant. "This seems to indicate that there is a kind of cyber war being waged among the creators of the Bagle, Mydoom, Netsky and Sasser worms, and it will continue to cause many more variants of the virus."
Indeed, the still unidentified German teen behind Sasser was said to have told authorities, as he confessed to being Sasser's mastermind, that he stumbled on the idea for the Sasser code while working on a Netsky variant he claimed would be aimed at battling against MyDoom and Bagle worms.
PandaLabs spokesperson Alan Wallace told AVNOnline.com the Sasser.E variant code might have been written before the teen was arrested, but didn't know for certain whether the suspect programmed it to launch before he was arrested or delivered it to an acquaintance to transmit.
Corrons said the exact intentions of these organized underground delinquents is yet to be determined, but whoever they are, they are trying to draw attention about viral codes "while at the same time carry[ing] out other types of acts that will translate into personal economic gain, such as stealing bank data in order to commit fraud."
At this writing, Sasser.E had reached Ukraine, Norway, Switzerland, Sweden, and the Russian Federation, but Wallace said its U.S. presence for now was negligible compared to those countries. "It's not as much of a problem in the U.S. as it is in other places," he said, "possibly because of the news coverage. And we're alerted pretty much before the rest of the world is, and most of our corporate machines are maintained by quality [chief technical officers] who really jump on this stuff.".
Wallace also said more awareness of running the patches mean Sasser statistics are starting to fall.
Like its four predecessor variants, Sasser.E exploits a Microsoft Windows security hole, known as LSASS, and hunts cyberspace for vulnerable computers to attack and create copies of itself to Windows directories under the LSASSS.exe file name. This provokes system errors that force the infected machines to reboot every 60 seconds.
Unlike its four predecessors, PandaLabs said, Sasser.E is actually programmed to knock Bagle worm variants right out of the systems it invades.
Microsoft has an available patch to ward off and clean out Sasser.
