Yet another Sasser worm appears

A new version of the Sasser Internet worm, Sasser-F, appeared on Monday, despite claims by German authorities to have arrested the sole author of that worm on Friday.

Antivirus software companies issued warnings about the new worm, which one antivirus expert called a crude adaptation that was unlikely to spread widely. The discovery, more than three days after German authorities arrested an 18-year-old German man for creating Sasser, suggests that the worm's code is circulating on the Internet and raises the specter of more Sasser versions, experts said.

Like earlier versions of Sasser, the F-variant exploits a recently disclosed hole in a component of Microsoft Corp.'s Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13, that fixes the LSASS vulnerability. (See: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx.)

Symantec Corp. rated Sasser-F a "Category 2" or low level threat and released a virus definition update for its products. Sophos PLC and Panda Software SL also issued alerts.

Microsoft will update its Sasser cleaner tool to detect the new variant, a company spokeswoman said.

After receiving tips about the suspected author, identified in news reports as Sven Jaschan, on May 5, Microsoft provided information to German authorities in Lower Saxony that lead to his arrest. Jaschan provided an "extensive" confession when he was taken into custody, admitting to creating both the Sasser and Netsky worms in an effort to fight infections of the Mydoom and Bagle worms, according to a statement provided by German authorities.

Based on that confession, authorities and Microsoft believed that Jaschan wrote all the versions of Sasser, including a new variant, Sasser-E, that appeared at the time of his arrest, according to Brad Smith, senior vice president and general counsel at Microsoft.

However, antivirus experts raised questions about the timing of the E-variant, which was not detected by antivirus companies until hours after the arrest. Experts also said that changes in the Netsky worm family over time and messages in both worms pointed to a group of virus writers, not a lone author.

Asked Monday about the company's reaction should a new variant appear, Brad Smith, senior vice president and general counsel at Microsoft, said a new Sasser worm would not change Microsoft's belief that it led police to the Sasser author.

"A new variant won't change our thinking about variants A through E. What it will mean is that somebody else is up to something else, as well," he said.

Smith cited German police reports of "overwhelming" evidence that Jaschan created the worm and the young man's confession as proof of his link to the first five versions of the worm.

However, the investigation is ongoing and other arrests in the case were possible, he said.

The new Sasser version does not disprove the lone-author idea, but suggests that the Sasser worm source code has been released on the Internet, said Patrick Hinojosa, chief technology officer of Panda Software U.S.