Malicious attackers seek to exploit unprotected computer systems
Microsoft Press Release
Wash., May 2, 2004 -- A recent increase in malicious activity
on the Internet, including the development
tools and exploit code, has resulted in an automated attack
against computer users in the form of a worm identified as "W32.Sasser.worm" ("Sasser").
Through this worm, the attacker is attempting to exploit systems
that are not protected against the Local Security Authority
Subsystem Service (LSASS) vulnerability, which is mitigated
by the use of a firewall and fixed in Microsoft Security Update
MS04-011 on April 13, 2004. There is additional malicious activity
in the form of variants of a worm known as "Agobot" (or "Agrobot"),
which similarly seeks to exploit systems not protected by
a firewall or the installation of MS04-011.
Microsoft is working closely with law enforcement authorities,
including the Northwest CyberCrime Taskforce, a joint effort
between the FBI and U.S. Secret Service, to forensically analyze
the malicious code in Sasser and Agobot, to identify and bring
to justice those responsible for this malicious activity. The
investigation is ongoing, and questions about the investigation
should be referred to the Northwest CyberCrime Taskforce.
At the same time, Microsoft is working closely
with the anti-virus community and other industry partners
to help protect our customers.
Customers using a firewall-- including the firewall in Windows
XP, as well as third-party hardware or software firewalls --
are generally protected against the Sasser and Agobot threats.
Customers can protect against these attacks by first ensuring
that their firewall is in place, and then installing Microsoft
Security update MS04-011 immediately. The MS04-011 security
bulletin is available as a free download at http://www.microsoft.com./technet/security/bulletin/ms04-011.mspx or
users can use Windows Update to access the latest security
In addition, Microsoft has made a no-cost,
software-based cleaner tool available that customers can
use to automatically
remove the Sasser worm from infected PCs after deploying the
security update. The tool is available at http://www.microsoft.com/security/incident/sasser.asp.
Tens of millions of customers who have followed
the steps on http://www.microsoft.com/protect to enable Automatic
already be protected against these emerging threats, as they
should have received MS04-011 automatically. Microsoft continues
to recommend that all customers visit www.microsoft.com/protect
to take three key steps to protect their PCs.