Virus & Anti Virus Information by Connectto

If your Internet Service does not provide you with all of this information and more for $9.99, why not sign up with us?


July- newest Virus

NAME: Lebreat
ALIAS: Breatle, W32/Lebreat@mm, W32/Reatle@MM
W32/Lebreat.A@mm is a mass-mailer and a network worm. It was found on July 15th, 2005. Shortly after the initial version, there appeared 2 more variants. The worm also has a backdoor, a trojan downloader and DoS (Denial of Service) attack capabilities.
VARIANT: W32/Lebreat.A@mm
Please read more about this by clicking here

06/27/06 HIGH: RealNetworks RealPlayer Multiple Vulnerabilities

On Windows:
RealPlayer 10.5 (
RealPlayer 8/10
RealOne Player v2/v1
RealPlayer Enterprise
Rhapsody 3 (build 0.815-0.1006)
On Mac OS:
Mac RealPlayer 10 (
Mac RealOne Player
On Linux:
Linux RealPlayer 10 (10.0.0-4)
Helix Player (10.0.0-4)

Description: RealNetworks' various media players contain the following vulnerabilities that can be exploited by a malicious webpage or an HTML email to compromise a client system.
(a) A specially crafted AVI movie file triggers a heap-based overflow that can be exploited to execute arbitrary code. The problem arises when the "stream format chunk (strf)" size in an AVI file is greater than 1064 bytes.
(b) A specially crafted RealMedia file with RealText also triggers a heap-based overflow that can be exploited to execute arbitrary code. The problem arises when the size of the RealText data exceeds 256 bytes.
(c) A specially crafted MP3 file can overwrite a local file or lead to execution of an ActiveX control on the client system. This can be exploited to install malware on client systems. The technical details required to leverage this flaw have not been posted yet.
Note that systems with RealPlayer configured as the default media player are at a greater risk as the malicious media files may be opened without any user prompting.
Status: RealNetworks has released updates for all the vulnerabilities. Users should be advised to upgrade their player by clicking "Tools" or "Help" menu and then choosing "Check For Updates".
RealNetworks Advisoryv
eEye Advisory
iDefense Advisory
AVI File Format
RealText Reference
SecurityFocus BIDs

06/27/05 LOW: Multiple Browsers Dialogue Box Spoofing

Internet Explorer, Mozilla, Opera, Safari, Firefox

Description: This vulnerability in multiple browsers may allow an attacker to steal sensitive information from users and conduct phishing attacks. The problem arises because a dialogue box opened by using javascript code does not display the original website it belongs to. As a result, an attacker can craft a webpage that opens a trusted webpage and a dialogue box (posting content to the attacker's site), and ask the user to enter his information in the dialogue box. Secunia has posted proof of concept code.
Status: Users should be advised to enter information only in the forms supplied by the original site and not any dialogue boxes.
Council Site Actions: All of the reporting council sites are waiting on confirmation and patches from the vendors. They will most like deploy the patch during one of their regularly scheduled system update processes.
Secunia Advisory
SecurityFocus BIDs

06/13/05 Mac OS X Client and Server version 10.4.1

MODERATE: Apple Mac OS X Security Update 2005-006
Mac OS X Client and Server version 10.4.1

Description: Apple has released a security update 2005-006 for Mac OS X client and server systems that fixes a number of vulnerabilities. The major flaws that can be remotely exploited to compromise Mac OS systems and have been fixed in this update are: (a) Multiple vulnerabilities in PHP prior to version 4.3.11 that can be exploited to cause a DoS or execute arbitrary code on a webserver running PHP. (b) A buffer overflow in the implementation of the Apple File Server (AFP) protocol that can be exploited to execute arbitrary code.
Status: Apply the Apple Security Update 2005-006.
Apple Security Advisory
PHP Vulnerabilities

06/13/05 Mozilla Browsers Frame Injection Vulnerability

MODERATE: Mozilla Browsers Frame Injection Vulnerability
Firefox version 1.0.4
Mozilla version 1.7.8
Description: An old vulnerability has been rediscovered in the Mozilla and Firefox browsers. This vulnerability permits a malicious website to inject a "frame" into the browser window of another website. For example, the content from can be loaded into another window displaying the content from The flaw can be exploited by a malicious webpage to spoof its identity as a trusted site. This may lead to stealing sensitive user information such as passwords, or further compromise of the user system. Proof-of-concept browser test tools have been publicly posted.
Status: Mozilla has not confirmed, no patches available.
Secunia Advisory


RootKit Removal Tools - Click Here

To all of our customers

Even if you do not/can not take the time to read through this page it is very important that you keep your system updated.
Please make sure that you download and install any security updates for your operating system as well as any security software you may have.

05/16/05 HIGH: Mozilla Firefox Remote Code Execution Vulnerabilities

Affected: Mozilla Firefox 1.0.3 and prior
Description: Mozilla Firefox browser contains two vulnerabilities that can be exploited in tandem to completely compromise a user's system. The problems arise because Mozilla allows execution of javascript URLs in the context of another website stored in its history list, and Mozilla allows its software install function to display icons with javascript URLs. A proof-of-concept exploit has been publicly posted. Since the Mozilla software install function can be invoked in the default browser configuration only from sites within the domain, once Mozilla patched its servers the impact of the exploit was reduced.
Status: Mozilla has released Firefox version 1.0.4 that patches the code execution flaws.
Council Site Actions: Most of the council sites still have limited use of this application. However, they plan to deploy the new version. Some sites are using the automatic update feature to get the updates installed.
Mozilla Advisory
Posting by Paul
PoC Exploit
CERT Advisories
SecurityFocus BIDs

MODERATE: Microsoft Windows Explorer Remote Script Injection (MS05-024)

Windows 2000 SP3/SP4
Description: Microsoft has confirmed the remote script injection vulnerability discussed in the @RISK newsletter posted on April 21, 2005, and released patch MS05-024 to address the issue. Proof-of-concept exploit for this flaw has already been published; hence, this patch should be applied to the vulnerable Windows 2000 systems. Blocking ports 139/tcp and 445/tcp at the network perimeter will block the most likely attack vector - an attacker enticing users to browse the attacker’s malicious shared folder.
Council Site Actions: Most of the council sites plan to deploy the patch during their next regularly scheduled system update process. A few council sites have already installed the patch. Several sites commented that they are blocking ports 139/TCP and 445/TCP at their external perimeter control points.
Microsoft Security Bulletin MS05-024
Previous @RISK Newsletter Posting
SecurityFocus BID

05/11/05 HIGH: Apple Security Update 2005-005

Mac OS X version 10.3.9 and prior
Mac OS X Server version 10.3.9 and prior
Description: Apple released a cumulative security update on May 3, 2005. This update fixes a number of remote and local vulnerabilities that may be exploited to completely compromise a system running Mac OS. The critical vulnerabilities that can be remotely exploited, and have been fixed are: (a) The "x-man-page://" URL is designed for man page look-ups, and is handled by the terminal program. Mac OS does not properly sanitize the URL; Hence, it is possible to inject certain characters in the URL and execute arbitrary commands on a user’s system. A proof-of-concept exploit has been publicly posted. (b) Mac OS contains a heap-based overflow in handling TIFF images that can be exploited to execute arbitrary code. The technical details for this flaw have been posted since December 2004. (c) The "help://" URL associated with the Help Viewer application can be used to execute arbitrary JavaScript code. A proof-of-concept exploit has been publicly posted.
Status: Apply the patch referenced in the Apple Security Update 2005-005.
Apple Security Advisory
Posting by David Remahl (Help URL Flaw) (PoC Exploit) (x-man-page URL flaw) (PoC Exploit)
Advisories Related to Local Privilege Escalation Vulnerabilities
libtiff Flaws Disclosed in 2004
Secunia Advisory

05/11/05 UPDATE: Netscape Code Execution Vulnerabilities

Netscape versions 6.x and 7.x Description: Netscape browser has been found vulnerable to some of the remote code execution flaws reported in the Firefox browser last week. Proof-of-concepts exploits are available for these vulnerabilities. Since there are no patches available, Netscape users should migrate to Mozilla/Firefox browsers.
Council Site Updates: Most of the council sites are no longer using Netscape as a supported browser and thus are not taking any action. One site is still actively trying to convince their support organization to abandon Netscape as a supported browser and move to Firefox. A second organization has a large number of Netscape users; however, they do not plan any action at this time. They have been pushing Internet Explorer as the preferred browser since late 2004.
Secunia Advisories
Previous @RISK Postings

04/25/05 HIGH: Mozilla Firefox Remote Code Execution

Affected: Firefox version 1.0.2 and prior
Description: Mozilla Firefox has been steadily gaining market share among browsers. The Firefox browser contains multiple flaws that can be exploited to execute arbitrary code with the privileges of the logged-on user. The following are three of the more severe flaws:
(a) The "< link >" tag can be used to load a custom image as a site's icon in Firefox. However, Firefox does not sufficiently validate the source for the custom image. Hence, by using "javascript:" URL as the image source, it is possible to execute arbitrary commands on the client. A proof-of-concept exploit has been posted. Note that visiting a malicious web page is sufficient to leverage this flaw.
(b) The "< embed >" tag's "pluginspage" attribute is used to load the URL for installing a plug-in. By using a "javascript:" URL, it is possible to execute arbitrary commands on the client.
(c) A malicious webpage can open privileged pages such as about:config in the sidebar, and then use javascript URLs to execute arbitrary code on a user’s system.
Status: Mozilla confirmed. Firefox version 1.0.3 has been released. This version fixes many other security vulnerabilities.
Council Site Actions: Just a handful of sites officially support or use Firefox. One site has already patched, as they received notification over the weekend. The other sites have advised their users to patch.
References: Mozilla Advisories Posting by mikx

04/18/05 CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities

CRITICAL: Microsoft Internet Explorer Multiple Vulnerabilities
Windows 2000 SP3 and SP4
Windows XP SP1 and SP2
Windows XP 64-bit SP1 and 2003
Windows 2003
Windows 98/ME/SE
Internet Explorer 5.01, 5.5 and 6.0

Description: Microsoft has released a cumulative security update for Internet Explorer that patches the following vulnerabilities- (a) A specially crafted webpage using certain Dynamic HTML functions can force Internet Explorer to execute arbitrary code. The problem occurs due to a race condition between IE threads that can be exploited to overwrite a thread's memory with the attacker-supplied data. The technical details and exploit code have been publicly posted. (b) Internet Explorer contains a heap corruption vulnerability that can be triggered by a link of the format ‘'. A malicious webpage or an HTML email may exploit this flaw to execute arbitrary code on a client system. (c) Internet Explorer Content Advisor (can be reached by clicking Tools->Options->Content on IE menu) can restrict IE users from accessing certain sites. For example, parents can use the Content Advisor to limit access to adult sites for their children. IE contains a buffer overflow that can be triggered by a specially crafted Content Advisor file (PICS format). Note that an attacker would need to convince a user to accept the malicious PICS file in order to exploit the flaw. Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-020. Note that Internet Explorer exploits are popularly used by malicious sites to install spyware and Trojans on client systems. Hence, this patch should be applied on an expedited basis.

04/18/05 HIGH: Microsoft Word Multiple Buffer Overflows

HIGH: Microsoft Word Multiple Buffer Overflows
Microsoft Word 2000/2002/2003
Microsoft Works Suite 2001/2002/2003/2004
Description: Microsoft has released patches for two buffer overflow vulnerabilities in Microsoft Word. One of the buffer overflows that has been patched was publicly reported in October 2004 along with complete technical details. The technical details about the other overflow have not been publicly disclosed. A webpage or a network share serving a malicious Word document, or an email with a malicious Word attachment, may leverage these flaws to compromise a client. Note that Internet Explorer automatically opens a Word document, which makes it easy to exploit the vulnerabilities via HTTP.
Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-023.
Council Site Actions: Most of the reporting council sites plan to respond to this item and install the patch during their next regularly scheduled system update process. One site commented that they don't distribute patches for applications such as MS Word, but do inform their users about the need to download and install MS Office updates.
Microsoft Security Bulletin

HIGH: Windows Shell Remote Code Execution

HIGH: Windows Shell Remote Code Execution
Windows 2000 SP3 and SP4
Windows XP SP1 and SP2
Windows XP 64-bit SP1 and 2003
Windows 2003
Description: Microsoft Office (Word, Excel, PowerPoint) and some WordPerfect and Adobe files are stored in "OLE2" format. This format stores a program name (actually its CLSID) in the OLE2 document that can open the OLE2 file even when the file is re-named with an unknown extension. For instance, if a Word document is renamed with a ".docy" extension, Windows will still open the file with the Word program. A problem arises because Windows does not perform a proper check on the program CLSID stored in an OLE2 document. An attacker can craft a malicious OLE2 document with an unknown extension that contains CLSID of an arbitrary executable. An attacker, for example, can use the CLSID of Microsoft HTML Application Host (MSHTA) in an OLE2 document, to execute arbitrary script code on a user's system. Note that the user would need to double-click the attacker-supplied OLE2 document with an unknown extension. The attacker may be able to fool a user by using visually similar extensions such as ".d0c", ".pppt" etc. Exploit code to craft a malicious OLE2 document has been posted.
Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-016. A workaround to block the email attack vector is to filter file attachments with unknown extensions at the mail gateways. To prevent the attack via HTTP, users should be advised not to open documents with unknown extensions.
Council Site Actions: All of the reporting council sites plan to respond to this item. They will patch during their next regularly scheduled system update process.
Microsoft Security Bulletin

MODERATE: MSN Messenger GIF Processing Overflow

MODERATE: MSN Messenger GIF Processing Overflow
MSN Messenger version 6.2
Description: MSN messenger contains a buffer overflow that can be triggered by malformed GIF image files. Specifically GIF files with improper height and width cause this overflow that can be exploited to execute arbitrary code with the privileges of the MSN messenger user. A successful attack requires significant user interaction. Prior to sending a specially crafted GIF file, the attacker has to convince an MSN messenger user to add him to the user's contact list.
Status: Apply the patch referenced in the Microsoft Security Bulletin MS05-022.
Council Site Actions: Most of the council sites plan to respond to this item and install the patches during their next regularly scheduled system update process. A few sites commented that they are blocking the affected traffic at their network perimeter points; thus reducing the risk associated with this item.
Installation and use of MSN Messenger is not supported by their central IT department, but neither is it blocked.

References: Microsoft Security Bulletin

03/17/05 Long-Distance Fixes - Article by Fred Langa (he posted in in Jan - we are a little slow here)

We will not post the entire article here, only a small part of it.
You really should follow the link to read the entire article, it is very helpful Long-Distance Fixes - Article by Fred Langa

The problem; My son managed to pick up some sort of virus that he's not able to get rid of.
He says that it connects to the internet by itself and he can't control what sites the system accesses.
He called home to ask me what to do. I'm not sure how to crash and reinstall XP, especially long distance.
I told him to try system restore.
He got the virus about 2 months ago and was shipped out and unable to fix it at that time.
Can you give me step by step instructions on what he needs to do?

Fred's answer;
The emergency, band-aid fix is to use a firewall such as Zone Alarm ( );
you can "lock" the firewall to block all internet access when you're not using the PC.
This only takes a click on the system tray icon, but prevents all phone-home activity via the internet connection.
(Of course, you can do something similar by physically disconnecting the network cable or phone wire.)
When you want access, it only takes another click to turn the connection back on.
Click here to read the entire article

Program Attacks Microsoft AntiSpyware App - By Scarlet Pruitt

Malware disables Microsoft's application and tries to steal online banking passwords. To read more click here

Defining Malware: FAQ - By Robert Moir

To read more click here

Microsoft malware tools slick but no cure-all - By Matthew Fordahl

To read more click here

Microsoft - Malicious Software Removal Tool

To read more and run the tool click here

2/26/05 HIGH: Trend Micro Products ARJ Handling Overflow

Trend Micro Client/Server/Messaging Suite for SMB for Windows
Trend Micro InterScan eManager
Trend Micro InterScan Messaging Security Suite Linux/Windows/Solaris
Trend Micro InterScan VirusWall for Linux/Windows/HP-UX/AIX/Solaris
Trend Micro InterScan VirusWall for SMB
Trend Micro InterScan Web Security Suite for Linux/Windows/Solaris
Trend Micro InterScan WebManager
Trend Micro InterScan WebProtect for ISA
Trend Micro OfficeScan Corporate Edition
Trend Micro PC-cillin Internet Security
Trend Micro PortalProtect for SharePoint
Trend Micro ScanMail eManager
Trend Micro ScanMail for Lotus Domino on Windows/AS400/S390/AIX/Solaris
Trend Micro ScanMail for Microsoft Exchange
Trend Micro ServerProtect for Linux
Trend Micro ServerProtect for Windows/Novell Netware

Description: A large number of Trend Micro anti-virus products contain a heap-based buffer overflow vulnerability. The overflow can be triggered by a malicious ARJ (a compression format) archive. An unauthenticated attacker can compromise any client or server running the vulnerable Trend Micro product by delivering a malicious ARJ archive via email or web. The technical details regarding how to craft a malicious archive file can be found in the vendor's advisory.

Status: Vendor confirmed, upgrade to scan engine VSAPI 7.510 or higher. As an interim measure prior to patching, ARJ scanning can be disabled.

Council Site Actions: Due to the late breaking nature of the problem, we were unable to solicit any council site input.

Trend Micro Advisory
ISS XForce Advisory
SecurityFocus BID

2/26/05 05.8.22 CVE: CAN-2005-0243 Platform: Cross Platform Title: Yahoo! Messenger Download Dialogue Box File Name Spoofing

Description: Yahoo! Messenger is a jabber tool.
It is vulnerable to a remote dialogue box spoofing issue due to a design error.
Yahoo! Messenger version is known to be vulnerable.


(1) MODERATE: Multiple Browsers International Domain Name Spoofing
Firefox version 1.0 and prior
Mozilla version 1.7.5 and prior
Safari version 1.2.5 and prior
Thunderbird version 1.0 and prior
Netscape version 7.x

Description: The Domain Name System (DNS) specification, as described in
the RFC 1034, does not permit the use of any non-ASCII characters for
constructing a domain name. International Domain Name (IDN) scheme was
specifically developed to support domain names in various languages.
Multiple browsers such as Mozilla, Firefox, and Safari have implemented
the IDN feature. This feature could be exploited by an attacker to conduct
phishing attacks. The problem occurs because a URL with a domain name
containing Unicode characters is displayed as an all-ASCII URL (by replacing
the Unicode characters with the closest resembling ASCII characters).
However, when such a URL is clicked, the content is rendered from the correct
international domain name possibly under the attacker's control. For instance,
the URL "p�" is displayed as "" in the browser.
Upon clicking this URL, the content is rendered from ""
domain name. Note that this trick can also be performed for sites that use
secure HTTP. The attacker can obtain a valid certificate for the international
domain name so that when a victim visits a spoofed secure site, the victim's
browser will still display the secure "lock" icon. Thus, a specially crafted
webpage or an HTML email may exploit the IDN feature to conduct phishing
attacks i.e. gather sensitive personal information from the users.

Status: Vendors have been contacted. Mozilla has provided the steps for
disabling the IDN support. An unofficial Safari plug-in has also been posted
that will alert the Safari user when an IDN URL is clicked. A general counter
measure is to train the users to not enter any personal information on a
webpage visited via clicking a link in an email or another webpage.

Council Site Actions: Only three of the reporting council sites are using the
affected software. One site has notified their system support group and will
allow them to decide the action. The second site does not plan any immediate
action. The third site only supports Mozilla on UNIX system and will update
the central version in late February.

Homograph Attacks by Eric Johanson (Contains PoC exploit)
Disable IDN Support in Mozilla
Unofficial IDN Detection for Safari
PunyCode Encoding for International Domain Names
Secunia Advisory

    Secunia monitors vulnerabilities in more than 4000 products Click Here for Secunia

01/27/05 Mozilla / Mozilla Firefox Download Dialog Source Spoofing

Affected Software:
Firefox 1.0
Mozilla 1.7.5
Other versions may also be affected.
Rating: Less critical
Impact: Spoofing
Where: From remote
Description of Vulnerability: Secunia Research has discovered a vulnerability in Mozilla / Mozilla Firefox, which can be exploited to spoof the source displayed in the Download Dialog box.
The problem is that long sub-domains and paths aren't displayed correctly, which therefore can be exploited to obfuscate what is being displayed in the source field of the Download Dialog box.
The vulnerability has been confirmed in Mozilla 1.7.3 for Linux, Mozilla 1.7.5 for Windows, and Mozilla Firefox 1.0.
Mozilla Bugzilla report:
Currently, no solution is available. However, the vendor reports that this vulnerability will be fixed in upcoming versions of the affected products.
To read the entire report please go to:

Virus hidden in images

01/25/05 We all receive images in our email from time to time and we have been told that image files are "ok" to open.
This is no longer the case!
We all must be careful opening those "harmless" image files not because they can now contain a virus
We have added some information and links here so you can check out some of the various warnings on this topic

Virus hidden in Tsunami disaster donation plea images Click Here
Security researchers say JPEG virus imminent Click Here
Trojan horse exploits image flaw:
EasyNews, a provider of Usenet newsgroups, said it has identified two JPEG images that take advantage of a previously
identified flaw in the way Microsoft software handles graphics files.
Windows users could have their computers infected merely by opening one of those Trojan horse images. Click Here

We want to make sure that everyone is aware of the "PHISHING SCAMS" that are going around in e mails now.
These scams are not new but they are becoming more of a problem now
Please do not open any email from banks, credit unions, mortgage companies and places like that unless you do business with that company.
More important:
If you think that a legitimate company you normally do business with is trying to contact you, play it safe and call them
or visit their website as you normally would but not through any link sent to you via email that asks for personal information updating!
Please report any of these you receive to us at: -we will need the full headers so you may forward them to us if you need to.

To find up to date virus information you can go to: Trend Micro

12/21/04 Massive phishing hole discovered in Internet Explorer

Microsoft said Friday that it is looking into reports from security company Secunia and others that a vulnerability in Internet Explorer 6
enables scammers to launch a phishing attack against PCs loaded with the latest security updated version of Windows, Service Pack 2,
and older versions of the operating system
, CNET reports.
The Web browser flaw allows fraudsters to create a hard-to-spot spoofed Web site, according to an advisory from Secunia,
even to the point of including a fake SSL signature padlock certificate.
Phishers can also hijack cookies from any Web site, the company said.
"The problem is that users can't trust what they see in their browsers,” Thomas Kristensen, chief technology officer at Secunia, said.
“This can be used to trick users to perform actions on what they believe is a trusted Web site,
but actually these actions are recorded and controlled by a malicious site.”
Secunia is advising users to disable ActiveX support, until a patch is available.

Click here to read the full story on C-Net


(Please take the time to go to these sites listed below if you are not sure what these scams are about)

Webopedia-Definition Of Phishing
FTC Consumer Alert-How Not to Get Hooked by a ‘Phishing’ Scam
Online Identity Theft-Spoof Email Phishing Scams and Fake Web Pages or Sites

Subject: Trend Micro Medium Risk Virus Alert - WORM_ZAFI.D
Date: Tue, 14 Dec 2004 11:07:43 -0800

As of December 14, 2004 8:13 AM PST, TrendLabs has declared a Medium Risk
Virus Alert to control the spread of WORM_ZAFI.D. TrendLabs has received
several infection reports indicating that this malware is spreading in
Germany, France and Spain.
The following is a brief overview of the worm process:
This worm spreads via email or peer-to-peer (P2P) file-sharing networks.
Here is a sample of the email:
Re: Merry Chrsitmas!
Message body:
Happy Hollydays!
:) Pamela M.
Note that the language of the email may change depending on the domain of the recipients.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 137
Official Pattern Release 2.297.00
Damage Cleanup Template 467
For more information on WORM_ZAFI.D, you can visit our Web site at:

Older Virus Info-just in case you need it

Norton has a scan/remove tool for W32.Sobig.F@mm worm at

Sasser Worm Info
Systems Affected: Windows 2000, Windows Server 2003, Windows XP
Details: W32.Sasser.B.Worm is a variant of W32.Sasser.Worm.
It attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin
MS04-011, and spreads by scanning randomly-chosen IP addresses for vulnerable systems.
The MD5 hash value for this worm is 0x1A2C0E6130850F8FD9B9B5309413CD00.
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.B.Worm.
Block TCP ports 5554, 9996 and 445 at the perimeter firewall and install the appropriate
Microsoft patch (MS04-011) to prevent remote exploitation of the vulnerability.
Security Response is upgrading W32.Sasser.B.Worm to a Category 4 from a Category 3 based on increased rate of submissions.
Also Known As: WORM_SASSER.B [Trend], W32/Sasser.worm.b [McAfee]
Variants: W32.Sasser.Worm
Type: Worm
Infection Length: 15872 bytes

Windows XP Users: What to Do If Your Computer Has Been Infected by Sasser

Time to update your anti virus and get a firewall if you do not have one

Old Worm
We found this information on a message board and thought it might be helpful.(
COMPLAINT--Computer keeps on on crashing after a few minutes on,with message NT AUTHORITY\system "c:\windows\system32\lsass.exe" 1073741819,this computer will close down in 30 seconds.
Greetings --
You've apparently contracted the latest worm, W32.Sasser.Worm, specifically designed to attack people who do not update their computers promptly and who do not practice "safe hex." In other words, like Blaster, this worm was developed and distributed _after_ a patch for the vulnerability was announced and made publicly available. Further, and also like Blaster, this worm could not affect any computer whose user had taken the basic precaution of using a properly configured firewall.
To stay on-line long enough to get the necessary updates, patches, and removal tools, click Start > Run, and enter "shutdown -a" when the next Shutdown countdown begins. This will abort the shut down. Also, make sure you've enabled a firewall before starting, to preclude any more intrusions while getting the updates/patches/tools.

What You should Know about the Sasser Worm and its Variants

Microsoft Security Bulletin MS04-011


A tool is available to remove the Sasser worm variants;EN-US;841720

W32.Sasser.Worm Removal Tool

McAfee AVert Stinger Virus Removal Tool

Back To FAQs