A worm has started spreading through the Internet using a vulnerability in a widely used component of the Windows operating system.
The worm--dubbed Sasser by antivirus firms--began spreading Friday night and seems to be moving at a moderate pace, said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team.

"We have had 25 to 50 reports from companies that have had up to a few hundred machines infected," he said. "One company wanted to patch this weekend, but the worm infected their network first."

This worm spreads by exploiting a recent vulnerability in a component of Microsoft Windows known as the Local Security Authority Subsystem Service, or LSASS. As previously reported by CNET News.com, security experts widely predicted that a worm would soon start spreading using that particular flaw.

The Sasser worm spreads from infected computer to vulnerable computer with no user intervention required. The worm scans for vulnerable systems, creates a remote connection to the system, installs a file transfer protocol (FTP) server and then downloads itself to the new host.

The worm opens up the initial connection on a specific application data channel, or port, numbered 9996. After the worm infects the new host, the FTP server listens on port 5554 for new files.

The worm uses multiple processes to scan different ranges of Internet addresses. The scans attempt to detect the vulnerable LSASS component on port 445. Microsoft has analyzed the worm and believes it also spreads through port 139. Both are data channels used by the Windows file sharing protocol and, in many cases, are blocked by Internet service providers.

A team of Microsoft engineers worked through the night to analyze the worm, said Stephen Toulouse, security program manager for the software giant.

"We are still studying the worm, but we do know customers that install the update are protected from Sasser," Toulouse said.

The worm will cause the LSASS component of Windows to crash, according to analyses. Infected systems will then perform a 60-second countdown before restarting. Microsoft has created a Web page telling customers how to manually clean up the worm.

Antivirus firms also continue to analyze the worm.
Source : http://zdnet.com.com/2100-1105-5203764.html