New Sasser variant indicates copycat script kiddie

A new variant of the Sasser worm has appeared, even though the worm's author was arrested in Germany last week. Antivirus companies suspect that the new virus has been written by a copycat script kiddie.

Systems infected with the Sasser worm randomly scan local networks and the Internet to look for Windows PCs that have not been updated with the latest Microsoft patch. The worm functions in a very similar way to the MSBlast worm, which caused millions of pounds of damage and disruption last summer.

A teenager suspected of writing the Sasser code was recently arrested by police in Germany, but since his arrest two variants of the worm have been released into the wild -- the most recent one, Sasser.F, was first detected on Tuesday.

Luis Corrons, head of antivirus firm Panda's research labs, said the Sassr.F worm's source code looks like it was written by an inexperienced programmer who has slightly modified the original code but had not added any new functions or behaviours.

"Studying the evolution of Sasser, the fact that variant F does not include any new features confirms that it is the work of a different person," Corrons said.

Sasser's code and some messages hidden inside the worm indicate its authors are closely linked with the Netsky virus, which has led many experts to question if the German teenager could be solely responsible for the Sasser outbreak.

David Kopp, head of Trend Micro's EMEA research labs, said he doubted that the teenager in police custody could have been solely responsible for the Sasser worm because there have been around 30 variants of Netsky since mid-February.

"For just one guy, this is a lot of work. We are not sure that the German teenager is the real virus writer, it's more likely to be a group of virus writers," he said.

Kevin Hogan, senior manager at Symantec Security Response, said that even if there are new variants of Sasser or other malware that exploits the Windows LSASS vulnerability, such as the Cycle worm, are unlikely to cause any damage because most businesses have either applied the relevant Windows patch or are using an up-to-date antivirus application.

"The Sassers out there are not really spreading any more and the Cycle worm uses the same vulnerability as Sasser, so it has gone nowhere. People are probably patching to protect themselves against Sasser -- that's why we are seeing very little of Cycle," said Hogan.