PressContact Logo
PRESSCONTACTCYBER_SECURITY_PR_&_COMMS
Panda Security
VIRUS ALERT
May 6, 2004
HIGH

PANDA SOFTWARE IN THE HUNT FOR THE AUTHORS OF THE SASSER WORMS

PANDA SOFTWARE IN THE HUNT FOR THE AUTHORS OF THE SASSER WORMS • Using forensic IT techniques, PandaLabs is collecting clues that could lead to the arrest of the authors of the Sasser worm • Given the modus operandi of these virus authors, a new and extremely dangerous virus is expected to appear over the weekend • More companies and institutions are reporting that they have felt the effects of Sasser. These include the government of Hong-Kong and American Express in the USA • Users are advised to keep their guard up and to install the patch released by Microsoft to fix the LSASS vulnerability, if they have not already done so Glendale, CA - May 6, 2004 - While the Sasser worms continue to look for new victims to infect, the hunt for their creators has started. By applying proprietary forensic IT techniques to the code of these worms, PandaLabs will look for clues that could lead to the arrest of their authors. “The authors of Sasser must also be treated as particularly dangerous criminals, as evidence suggests that they also created the Netsky worms, and who knows how many other viruses, but letting viruses loose is a crime that should be investigated.” says Luis Corrons head of PandaLabs. The clues to the authors of computers viruses are hidden in the source code, lines of special characters that to the untrained eye don’t make any sense, but that can disclose a lot of information to the experts at PandaLabs. “The authors of computer Viruses usually have delusions of grandeur and therefore don’t miss any opportunity to leave their mark in the viruses they create. However, this is often their undoing: it can be a date, the name of a city, a reference to a friend or girlfriend, etc., the slightest clue could be the key to detaining the author of the virus,” explains Corrons. However, until these delinquents are caught, users should continue to keep their guard up against the highly probable appearance of new viruses. Considering how the previous attacks were carried out, it is likely that the authors of the Sasser and Netsky worms are putting the final touches to an extremely dangerous malicious code that -as they have done up until now- they will unleash at the weekend. More companies and institutions are reporting that they have felt the effects of Sasser in one way or another. These include Heathrow airport in London, where one of the terminals was brought to a standstill, some governmental departments in Hong Kong, as well as the Suntrust Bank and American Express in the USA. The Following Charts Document the Activity Sasser and Other Viruses for the last 7 days in the US and Globally: VIRUSES TOP 20 US ACTIVITY: May 1 US Stats May 2 US Stats May 3 US Stats Virus % infections   Virus % infections   Virus % infections Trj/Briss.A 9.7 Trj/Downloader.L 9.69 Trj/Downloader.L 10.67 Trj/Downloader.L 9.53 W32/Sasser.B. 8.03 W32/Sasser.B. 9.71 Trj/Revop.F 8.33 Trj/Briss.A 7.94 Trj/Briss.A 8.03 Trj/Downloader.AN 8.07 Trj/Downloader.AN 7.77 Trj/Revop.F 7.3 Trj/Multidropper.AM 5.92 Trj/Revop.F 6.98 Trj/Downloader.AN 6.98 W32/Netsky.P. 5.67 W32/Sasser.A. 6.46 W32/Netsky.P. 6.42 Trj/Siboco.A 4.89 W32/Netsky.P. 5.85 Trj/Multidropper.AM 4.9 Trj/Revop.A 3.18 Trj/Multidropper.AM 4.89 W32/Sasser.A. 4.74 W32/Bagle.AB. 3.18 Trj/Siboco.A 4.19 W32/Bagle.AB. 3.93 Trj/Downloader.DK 3.09 Trj/Downloader.DK 3.75 W32/Bagle.pwdzip 3.53 W32/Bagle.pwdzip 3 W32/Bagle.pwdzip 3.32 W32/Nachi.B. 3.45 W32/Nachi.B. 2.83 Trj/Revop.A 2.71 Trj/Downloader.DK 3.37 W32/Netsky.D. 2.66 W32/Netsky.D. 2.62 W32/Netsky.D. 3.29 W32/Netsky.C. 2.49 W32/Nachi.B. 2.53 Trj/Siboco.A 2.97 W32/Klez.I 2.06 W32/Netsky.C. 2.53 Trj/Revop.A 2.73 Trj/Multidropper.BJ 1.97 W32/Klez.I 2.18 W32/Gaobot.QY. 2.33 Trj/StartPage.CS 1.89 Trj/StartPage.CS 2.09 W32/Gaobot.RJ. 2.33 W32/Netsky.B. 1.72 W32/Parite.B 1.92 W32/Netsky.C. 2.25 W32/Sasser.A. 1.72 W32/Bagle.AB. 1.83 W32/Netsky.B. 2.09 W32/Parite.B 1.63 Trj/Multidropper.BJ 1.57 W32/Sasser.C. 1.85 May 4 US Stats May 5 US Stats May 6 US Stats Virus % infections Virus % infections   Virus % infections Trj/Downloader.L 8.09 Trj/Virtumonde.C 16.12 Trj/Virtumonde.C 16.66 W32/Netsky.P. 6.97 Trj/Downloader.L 9.71 Trj/Briss.A 12.25 W32/Gaobot.RJ. 6.69 Trj/Briss.A 7.65 Trj/Downloader.L 9.03 Trj/Revop.F 6.24 W32/Netsky.P. 7.47 Trj/Revop.F 6.72 Trj/Briss.A 6.18 Trj/Revop.F 6.88 W32/Netsky.P. 6.44 W32/Sasser.B. 6.07 W32/Gaobot.RO. 6.41 W32/Gaobot.RO. 6.09 Trj/Downloader.AN 5.17 W32/Gaobot.RJ. 4.76 W32/Gaobot.RJ. 5.11 W32/Gaobot.QY. 4.61 Trj/Downloader.AN 4.29 W32/Nachi.B. 4.06 W32/Sasser.A. 4.22 W32/Sasser.B. 4.18 Trj/Downloader.AN 3.78 Trj/Downloader.DK 4.22 Trj/Multidropper.AM 3.71 Trj/Downloader.DK 3.78 W32/Nachi.B. 3.93 Trj/Downloader.DK 3.65 W32/Sasser.B. 3.57 W32/Bagle.pwdzip 3.71 Trj/Siboco.A 3.24 Trj/Multidropper.AM 3.08 W32/Bagle.AB. 3.43 W32/Bagle.pwdzip 3.24 W32/Netsky.D. 2.87 Trj/Virtumonde.C 3.43 W32/Gaobot.QY. 3.18 W32/Bagle.pwdzip 2.8 W32/Netsky.D. 3.32 W32/Netsky.D. 3 Trj/Revop.A 2.73 W32/Sasser.C. 3.32 W32/Nachi.B. 3 W32/Netsky.C. 2.73 Trj/Siboco.A 3.15 W32/Sasser.A. 2.94 W32/Gaobot.QY. 2.52 Trj/Multidropper.AM 3.09 Trj/Revop.A 2.82 W32/Bagle.AB. 2.38 W32/Netsky.C. 2.81 W32/Sasser.C. 2.71 W32/Sasser.A. 2.38 W32/Gaobot.RO. 2.59 W32/Bagle.AB. 2.41 W32/Sasser.C. 2.38 May 7 US Stats Virus % infections Trj/Virtumonde.C 13.46 Trj/Briss.A 12.64 Trj/Revop.F 8.38 Trj/Downloader.L 8.1 W32/Gaobot.RO. 6.59 W32/Netsky.P. 5.77 Trj/Multidropper.AM 4.4 W32/Gaobot.RJ. 3.98 Trj/Downloader.AN 3.85 W32/Nachi.B. 3.71 W32/Sasser.B. 3.71 W32/Sasser.C. 3.57 W32/Gaobot.QY. 3.3 Trj/Downloader.DK 3.02 Trj/Revop.A 2.88 W32/Bagle.pwdzip 2.61 W32/Netsky.C. 2.61 Trj/Startpage.DI 2.47 W32/Sasser.A. 2.47 Trj/Qhost.E 2.06 VIRUSES TOP 20 ACTIVITY GLOBAL: May 1 Global Stats May 2 Global Stats May 3 Global Stats Virus % infections   Virus % infections   Virus % infections W32/Sasser.A 11.08 W32/Sasser.B 24.44 W32/Sasser.B 13.38 W32/Netsky.P 8.16 W32/Sasser.A 15.81 W32/Netsky.P 11.62 W32/Nachi.B 7.33 W32/Nachi.B 7.36 W32/Sasser.A 7.93 Trj/Downloader.L 5.12 W32/Netsky.P 7.06 W32/Netsky.D 6.21 W32/Sasser.B 4.86 W32/Netsky.D 4.64 W32/Nachi.B 5.07 W32/Netsky.D 4.21 Trj/Downloader.L 4.57 Trj/Downloader.L 4.57 W32/Netsky.Z 3.61 Trj/Revop.F 2.99 W32/Netsky.B 4.2 Trj/Revop.F 3.28 W32/Netsky.B 2.63 W32/Bagle.AB 3.74 W32/Netsky.B 2.79 W32/Netsky.Z 2.46 W32/Sasser.C 2.97 W32/Gaobot.PN 2.55 Trj/Keylog.L 2.16 Trj/Revop.F 2.92 Trj/Keylog.L 2.45 W32/Parite.B 2.1 W32/Netsky.Z 2.77 W32/Bagle.AB 2.43 W32/Netsky.C 2.06 W32/Netsky.C 2.48 W32/Gaobot.QP 2.31 W32/Gaobot.QP 1.84 W32/Sasser.D 2.37 W32/Parite.B 2.21 Bck/Blarul.A 1.71 W32/Bagle.pwdzip 2.21 W32/Netsky.C 2.07 Trj/Downloader.DK 1.56 W32/Netsky.Q 2.11 Bck/Blarul.A 1.98 W32/Bagle.AB 1.55 Trj/Keylog.L 2.07 Trj/Multidropper.AM 1.73 W32/Bagle.pwdzip 1.51 Trj/Downloader.DK 1.54 W32/Bagle.pwdzip 1.66 W32/Gaobot.PN 1.51 W32/Parite.B 1.51 Trj/Downloader.DK 1.53 Trj/Multidropper.AM 1.37 W32/Bugbear.B 1.44 Trj/Siboco.A 1.43 Trj/Downloader.AN 1.28 W32/Mydoom.A 1.44 May 4 Global Stats May 5 Global Stats May 6 Global Stats Virus % infections   Virus % infections   Virus % infections W32/Netsky.P 11.42 W32/Netsky.P 12.04 W32/Netsky.P 11.32 W32/Sasser.B 8.24 Trj/Virtumonde.C 8.45 Trj/Virtumonde.C 8.31 W32/Netsky.D 6.28 W32/Sasser.B 6.32 Trj/Briss.A 6.6 W32/Sasser.A 4.93 W32/Netsky.D 6.05 W32/Netsky.D 6.16 W32/Nachi.B 4.82 W32/Nachi.B 4.97 W32/Sasser.B 5.84 W32/Netsky.B 4.81 Trj/Downloader.L 4.77 W32/Nachi.B 4.7 Trj/Downloader.L 4.47 W32/Netsky.B 4.76 W32/Netsky.B 4.56 W32/Sasser.D 4.28 W32/Bagle.AB 4.08 Trj/Downloader.L 4.47 W32/Bagle.AB 3.8 Trj/Briss.A 3.89 W32/Bagle.AB 3.66 W32/Sasser.C 3.17 W32/Sasser.D 3.64 W32/Netsky.Z 3.33 Trj/Revop.F 3.03 W32/Sasser.A 3.44 W32/Sasser.D 3.26 W32/Bagle.pwdzip 2.73 Trj/Revop.F 2.92 W32/Sasser.A 2.87 W32/Netsky.C 2.31 W32/Bagle.pwdzip 2.61 Trj/Revop.F 2.74 W32/Netsky.Z 2.27 W32/Netsky.Z 2.55 W32/Bagle.pwdzip 2.36 W32/Gaobot.RJ 2.27 W32/Netsky.Q 2.39 W32/Netsky.Q 2.23 Trj/Keylog.L 2.26 W32/Gaobot.RO 2.25 W32/Netsky.C 2.19 Trj/Downloader.DK 2.21 W32/Netsky.C 2.13 W32/Sasser.C 2.15 W32/Netsky.Q 2.07 W32/Sasser.C 2.11 W32/Gaobot.RO 1.91 W32/Gaobot.QY 1.61 Trj/Downloader.DK 1.97 Trj/Downloader.DK 1.83 W32/Bugbear.B 1.48 W32/Klez.I 1.73 W32/Bugbear.B 1.5 May 7 Global Stats Virus % infections W32/Netsky.P 8.58 Trj/Virtumonde.C 7.89 Trj/Briss.A 7.52 W32/Sasser.B 5.94 W32/Nachi.B 4.36 W32/Netsky.D 4.29 Trj/Downloader.L 4.22 Trj/Revop.F 4.06 W32/Netsky.Z 3.5 W32/Bagle.AB 3.04 W32/Gaobot.RO 2.87 W32/Netsky.B 2.84 W32/Sasser.D 2.61 W32/Sasser.C 2.51 W32/Netsky.C 2.38 W32/Sasser.A 2.34 W32/Bagle.pwdzip 2.18 Trj/Downloader.DK 2.15 Trj/Multidropper.AM 1.88 W32/Sdbot.XU 1.78 To mitigate the effects of the Sasser epidemic, Panda Software has made its PQRemove tools available to users. These applications not only disinfect computers but also restore system configurations altered by the worm. One of the PQREMOVE tools is specifically designed for networks, and removes Sasser and all its variants from any network that could have been affected. To access these tools please visit http://www.pandasoftware.com/support/. The other PQREMOVE applications can disinfect any computer attacked by any of the variants of the Sasser worms. To access these tools please visit http://www.pandasoftware.com/download/utilities/. User can detect and disinfect the new worm with an up-to-date antivirus, but it is important to install the Microsoft patch to ensure that Sasser doesn’t re-infect computers. The vulnerability exploited by this worm was reported by Microsoft recently in bulletin MS04-011 (http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx), along with the patch. Panda Software has made the updates necessary to its products available to clients. Panda Software’s online support center (http://www.pandasoftware.com/support/) also offers help to users. Panda Software clients can update their antivirus through the applications installed on their computers. In addition, the users can scan their computers on line for free with the ActiveScan solution, available in the company web page http://us.pandasoftware.com/activescan More information about these and other IT threats is available from http://www.pandasoftware.com/virus_info/encyclopedia/ About PandaLabs On receiving a possibly infected file, Panda Software's technical staff gets right to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users. For more information: Alan Wallace [email protected] Tel. (818) 543-6909

Original source: panda-us-virusalert-2004-05-06-searchforsassercreator.doc