Microsoft Joins Law Enforcement to Track Perpetrators of Emerging Worm Attacks against Computer Users

REDMOND, Wash., May 2, 2004 — A recent increase in malicious activity on the Internet, including the development of attack tools and exploit code, has resulted in an automated attack against computer users in the form of a worm identified as
“W32.Sasser.worm”
(
“Sasser”
). Through this worm, the attacker is attempting to exploit systems that are not protected against the Local Security Authority Subsystem Service (LSASS) vulnerability, which is mitigated by the use of a firewall and fixed in Microsoft Security Update MS04-011 on April 13, 2004. There is additional malicious activity in the form of variants of a worm known as
“Agobot”
(or
“Agrobot”
), which similarly seeks to exploit systems not protected by a firewall or the installation of MS04-011.

Microsoft is working closely with law enforcement authorities, including the Northwest CyberCrime Taskforce, a joint effort between the FBI and U.S. Secret Service, to forensically analyze the malicious code in Sasser and Agobot, to identify and bring to justice those responsible for this malicious activity. The investigation is ongoing, and questions about the investigation should be referred to the Northwest CyberCrime Taskforce.

At the same time, Microsoft is working closely with the anti-virus community and other industry partners to help protect our customers. Customers using a firewall– including the firewall in Windows XP, as well as third-party hardware or software firewalls — are generally protected against the Sasser and Agobot threats. Customers can protect against these attacks by first ensuring that their firewall is in place, and then installing Microsoft Security update MS04-011 immediately. The MS04-011 security bulletin is available as a free download at www.microsoft.com./technet/security/bulletin/ms04-011.mspx or users can use Windows Update to access the latest security update.

In addition, Microsoft has made a no-cost, software-based cleaner tool available that customers can use to automatically remove the Sasser worm from infected PCs after deploying the security update. The tool is available at www.microsoft.com/security/incident/sasser.asp .

Tens of millions of customers who have followed the steps on www.microsoft.com/protect to enable Automatic Updates should already be protected against these emerging threats, as they should have received MS04-011 automatically. Microsoft continues to recommend that all customers visit www.microsoft.com/protect to take three key steps to protect their PCs. These include:

  • Use an Internet Firewall on all PCs and Laptops: An Internet firewall can help prevent outsiders from getting to your computer through the Internet. If you use Microsoft Windows XP, enable the built-in firewall.

  • Update Your Computer: Windows includes the automatic updates feature (Windows Update) which can automatically download the latest Microsoft security updates. Windows 98 SE and Windows ME can be updated from windowsupdate.microsoft.com.

  • Use Up-to-Date Antivirus Software: Installing, configuring and maintaining antivirus protection is absolutely essential.

About Microsoft

Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.

Microsoft, Windows, Windows XP, Windows 98 and Windows ME are registered trademarks of Microsoft Corp. in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.asp .

Related Posts