Automatic Installation.
Silent Installation.
Can this Worm be Stopped?
Tired of Viruses?
So are we. End the problem.
Please see our proposal:
Whole Office
Anti-Virus Protection
And see our information on:
Virus Defense Suggestions
Need a Free
Anti-Virus Solution?
WARNING
5/2/04
ALL MACHINES NOT UPDATED IN THE LAST 14 DAYS
MAY BE VULNERABLE
Please run Windows Update from the Start Menu and
confirm
that your machine is fully updated.
This warning only applies
to:
Windows
XP (Home, Professional, & Multimedia in standard versions)
Windows 2000 (both Pro and Server versions)
Windows 2003
It does NOT apply to Windows XP 64-bit versions, Windows 2003,
Windows NT, Windows 9X, Windows ME, or Macintosh systems. However,
users of these systems would be advised to read this message
and to also update their system software (and, if Macintosh,
their firmware) to the latest versions in any case.
The Sasser
Worm exploits a flaw in the Windows Operating System. It will
not be detected by anti-virus software during installation, and
cannot be blocked. Computers on the Internet without a firewall
(or NAT Router) are exposed to AUTOMATIC infection.
IF your office is protected from infection by a Router or Firewall,
be aware that your internal network can be compromised from an
infected laptop or other mobile computer brought into
the office from outside. Protection from the Internet alone is
NOT enough!
Note also- HOME users who have a Cable Modem system and do not
have a NAT Router to protect them from infection are playing
with fire. A NAT Router (a "hardware firewall") should
not be considered OPTIONAL when using a Cable Modem, DSL, or
other permanent high-speed Internet connection. SoftProse Technology,
Inc. STRONGLY recommends the use of any of a large number of
inexpensive NAT Routers between a permanent connection to the
Internet and your home computer! Vendors include SMC, NetGear,
3Com, and Belkin, among others.
DO YOU HAVE A WIRELESS SYSTEM? Wireless systems are nearly impossible
to defend against unauthorized use! Use caution before investing
in a Wireless system; WEP Encryption is not enough protection.
Are you running Wireless without any WEP encryption? Then you
may have unknown "visitors" on your network, and behind
any firewall. See our information on wireless at: http://www.softprose.com/proposals/wireless.html
Windows
XP includes a FIREWALL system that can defend individual computers
from this type of attack. However, activation of this Firewall
without configuration knowledge may also cut the user off from
certain network services. If you are not able to install a NAT
router (a "hardware firewall"), please investigate
the Firewall options available with your software.
Windows XP:
http://www.microsoft.com/security/protect/windowsxp/firewall.asp
Microsoft on Firewalls:
http://www.microsoft.com/security/articles/fwbenefits.asp
If this is not sufficient, free firewalls such as the popular
ZoneAlarm ( http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp) also offer a level of protection. Again,
a NAT router is recommended as the best form of protection, along
with automatic updates from Microsoft.
Users of InoculateIT
and Etrust AntiVirus from Computer Associates (where the
software is active and updating automatically) have the ability
to remove the virus, BUT still require the updates to be installed
to prevent infection. However, this requires that the changes
to the software installation that are listed in our Addendum are made, to activate the System
Cure function. A copy of this Addendum
may be downloaded from our website, along with basic InoculateIT installation instructions (includes
the complete Addendum.)
Note that most users of systems installed and/or managed by SoftProse
Technology, Inc. already have their Inoculate systems configured
in this way.
SIGN OF
INFECTION:
These problems may or may not be
noted as signs of infection. It is possible for an infection
by the SASSER WORM to go completely undetected.
An error message may occur from the LSASS service, indicating
an error in the "LSA Shell".
The computer may also spontaneously
restart. In some instances, it will begin to restart constantly.
Regular
Installation of Microsoft Updates is the ONLY protection from
this infection.
It is now strongly recommended that all USER computers be set
for "Automatic Updates".
For Windows XP, right-click on My Computer, choose "Automatic
Updates". Set it to install updates DAILY at a set time
(such as 9AM) when the computer will be on.
For Windows 2000, go to Control Panels, Automatic Updates
Set it to install updates DAILY at a set time (such as 9AM) when
the computer will be on. (Not there!? You must update your system
with Windows Update- You don't have the right Service Pack installed!)
Running
Windows Update:
Go to the Start Menu,
select "Windows Update."
Windows Update NOT THERE? With your browser, surf to:
"http://
windowsupdate.microsoft.com"
ACCEPT ANY DOWNLOAD from Microsoft (with
the latest version of the Windows Update software.)
WINDOWS UPDATE WILL NOT LOAD? It required
IE 5.5 or higher. (IE 6.1a is the current version.) You first
need to Update your copy of Internet Explorer. Surf to http://www.microsoft.com/ie
and install the latest version of Internet Explorer's browser.
After this process (a long download, and at least one restart
will be required), go back to Windows Update (http://windowsupdate.microsoft.com)
and complete the update process.
How will this Virus Problem
End?
An Editorial from SoftProse Technology, Inc.
This virus problem is a quite
serious one. Users buy computers with anti-virus software that
never updates or will expire updates after a few months, and
assume that they "have protection". This encourages
virus authors- any anti-virus software that "expires"
for updates is a tool that encourages virus authorship, not true
protection. Virus software should update for the life of the
computer or operating system, and not require periodic re-purchases
to remain in effect. In addition, antivirus software should automatically
check for updates several times a day, such as the default 4
hours we set for our InoculateIT / EtrustAntiVirus systems. Users
also must bear some responsibility to keep their software updated;
to not involve themselves with "cheater" software such
as Kazaa; and to avoid running strange attachments.
Spyware and Adware, along with Spam transmission efforts, are
now becoming more and more closely linked to virus authorship.
Anti-virus software will not touch "commercial" Spyware
and Adware, claiming that this is not their responsibility. However,
computers are failing when they are overwhelmed by Spyware and
Adware, and this is a major growing problem. Anti-virus software
must protect against all malicious software, not just those produced
by amateurs.
Internet Service Providers such as Earthlink, AOL, Verio, RoadRunner,
Optimum Online, etc. are the actual means by which these viruses
are transmitted. The true "source of infection" is
the Internet pipe by which we are communicating. To resolve these
issues, new routers called "filtering routers" can
be installed, to replace the current "boundary routers"
that connect users to the Internet. Replacing all the boundary
routers with new filtering routers that can remove virues and
spam is a major expense, and a technological challenge. It is
also a challenge that must be met, and SOON, as consumers are
being pounded by the products of brilliant but immature criminals.
The only way to defend against these problems is for the Internet
itself to rise in it's own defense. Companies that make the
new generation of router systems include Cisco and Juniper Networks,
but many other vendors will be available in the near future.
ISP's that implement filtering of this kind will be extremely
desirable. SoftProse Technology, Inc. is now involved both in
encouraging current ISP's to take responsible actions and to
implement these filtering technologies, and to discover and promote
ISP's that currently offer these services to their clients. |
Further
Information on the Sasser Worm:
The Microsoft web site
has information about this problem at:
http://www.microsoft.com/security/incident/sasser.asp
A tool to REMOVE the Sasser Worm from Microsoft can be found
at:
http://www.microsoft.com/downloads/details.aspx
?familyid=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
The Microsoft Sasser Removal Tool serves three functions:
1) It tells the user IMMEDIATELY if their machine is protected
from the Sasser Worm; it will not run on a machine that does
not have the correct updates applied.
(For the correct update, please use Windows Update. For a manual
download, see:
http://www.microsoft.com/security/security_bulletins/200404_windows.asp )
2) If the update is applied AFTER the virus has infected the
machine, the tool will remove the Sasser worm and tell the user
that the infection is cured.
3) If there is no infection and the protection from the Sasser
Worm is installed, the program will run a quick check on the
system to confirm that the Worm is not present and will indicate
this to the user.
Computer
Associates has information
on this worm at:
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012
Network
Associates (creators
of McAfee) have info at:
http://vil.nai.com/vil/content/v_125007.htm
The excellent Network Associates
STINGER
has been updated to include the Sasser Worm. This tool is Free,
and will remove some thirty of the worst type of virus/worm infestations.
Although it does not kill everything, it will take care of the
"worst of the worst".
Download the latest version of Stinger from:
http://vil.nai.com/vil/stinger/
F-Secure has info at:
http://www.f-secure.com/v-descs/sasser.shtml
Another free tool to remove the
Sasser.A and Sasser.B worms is available here.
http://www.f-secure.com/v-descs/sasser.shtml |
|
|
