Sasser infections hit Amex, others

Security experts are continuing to issue warnings about the Sasser Internet worm as organizations struggled to clean up the damage caused by infected hosts.

American Express Co. joined a number of U.S. universities in reporting infections from the Sasser worm on Monday and the SANS Institute's Internet Storm Center (ISC) maintained a yellow warning Tuesday despite expectations earlier in the day that the Sasser outbreak would wind down Monday, according to interviews.

Sasser exploits a recently disclosed hole in a component of Microsoft Corp.'s Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13.

The SANS Institute's Internet Storm Center said on Monday that it was maintaining its yellow alert, indicating a "significant new threat" on the Internet due to "the continuing spread of Sasser and other malicious code targeting the MS04-011 vulnerabilities," according to the ISC.

Among other things, modifications in new Sasser variants Sasser.C and Sasser.D, which appeared on Monday, prompted the ISC to maintain the yellow alert on Tuesday. Internet Storm Center chief technology officer Johannes Ullrich said he expected Sasser to die down Monday, prompting a return to the "green" status by the end of the day.

American Express experienced Sasser infections on employee desktops beginning Sunday that disrupted the company's internal networks, but did not have an impact on customer services according to Judy Tenzer, a company spokeswoman.

American Express refused to reveal how many computers were affected, or how the worm penetrated the company's network, but the infections were limited to employee desktops and did not affect critical servers at the company, she said.

Reports surfaced Monday of unexplained computer problems at other companies, as well.

Delta Airlines Inc. experienced technical difficulties on Saturday that forced the cancellations of some flights. The computer problems began at 2:50 P.M. local time on Saturday and were fixed by 9:30 Saturday evening, said Katie Connell, a Delta spokeswoman.

Connell would not common on the cause of the problems, or which systems were affected, citing a continuing investigation. Delta does use Microsoft products and the Windows operating system, she said.

In Boston, colleges and universities felt the effects of the worm, according to David Escalante, director of computer policy and security information technology at Boston College (BC), in Chestnut Hill, Massachusetts.

Around 200 machines on BC's campus network were infected with Sasser, most of them laptop and desktop computers owned by students, he said.

BC blocked traffic on port 445, which is used by the Sasser worm to spread, before the outbreak. Information technology (IT) staff are analyzing the infections, which may have come from students who brought infected laptops back onto campus from home, Escalante said.

Staff are also struggling with complications caused by Sasser, which causes many Windows XP and Windows 2000 machines to crash repeatedly, preventing students from logging onto the desktop and installing the appropriate software patch.