[RED ALERT: Sasser creator copycats: a new worm has been discovered, Cycle.A - 05

Discussion in 'malware problems & news' started by Marianna, May 10, 2004.

Thread Status:
Not open for further replies.
  1. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Madrid, May 10 2004 - The arrest of the alleged creator of the Sasser worms
    has not been accompanied by a lull in the momentum of computer viruses.
    PandaLabs has detected the appearance of a new worm, Cycle.A
    (W32/Cycle.A.worm) which -like Sasser and its variants- exploits the LSASS
    vulnerability affecting some Windows versions in order to infect computers
    through the Internet.

    The scenario has changed, however, as indicated by the text found inside the
    virus code. In this text, the virus creator -alias Cyclone- claims to be
    Iranian and refers to the social and political situation in his country. The
    entire content of this message can be read in Panda Software's Virus
    Encyclopedia, at http://www.pandasoftware.com/virus_info/encyclopedia/.

    Cycle.A tries to enter computers through communications port TCP45 in order
    to check if the system is vulnerable. If it is, the worm causes the affected
    computer to download a copy of itself called CYCLONE.EXE. However, this will
    only take place if the application TFTP.EXE is installed on the system.

    Additionally, and regardless of whether the worm has managed to copy itself
    to the targeted computer, the attempt by the virus to enter the system
    causes a failure in the application LSASS.EXE which makes the computer
    restart every 60 seconds.

    According to Luis Corrons, head of PandaLabs, "It was to be expected that
    sooner or later some other unscrupulous individual created a new virus that
    exploited the LSASS vulnerability. The real problem lies in the fact that
    the necessary code to exploit this security hole is in possession of many
    people who can incorporate it into their creations. Therefore, it is very
    likely that new variants of Sasser and Cycle, as well as other malicious
    codes that can act like them, will appear in the future."

    Meanwhile, the members of the Sasser worm family -which was joined yesterday
    by Sasser.E- continue to cause incidents on computers worldwide. In fact,
    Sasser.B continues to be one of the viruses most frequently detected by
    Panda ActiveScan, Panda Software's free online scanner.

    In order to prevent your computer from falling victim to Cycle.A, Sasser and
    its variants, or any other worm that exploits the LSASS vulnerability, it is
    necessary to install the Microsoft patch available from
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx. Panda
    Software also advises users to tighten security measures, ensure that they
    have a fully updated antivirus installed and keep themselves informed of any
    new viruses that could appear. Panda Software has made the updates necessary
    to its products available to clients.

    More information about these and other IT threats is available in Panda
    Software's Virus Encyclopedia, at
    http://www.pandasoftware.com/virus_info/encyclopedia/

    Panda Software's online support center
    (http://www.pandasoftware.com/support/) also offers help to users.
     
    Marianna, May 10, 2004
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...