New Sasser variant indicates copycat

The worm reappears as Sasser.F, even after the arrest of a teenager suspected of writing the original.

By Munir Kotadia
Special to CNET

A new variant of the Sasser worm has appeared, even though the worm's author was arrested in Germany last week.

Antivirus companies suspect that a copycat coder has written the new virus.

Systems infected with the Sasser worm randomly scan local networks and the Internet to look for Windows PCs that have not been updated with the latest Microsoft patch. The worm functions in a very similar way to the MSBlast worm, which caused millions of dollars in damage and disruption last summer.

A teenager suspected of writing the Sasser code has been by police in Germany. But since his arrest, two variants of the worm have been into the wild. The most recent one, Sasser.F, was first detected Tuesday.

Luis Corrons, head of antivirus company Panda's research labs, said the Sasser.F worm's source code looks like it was written by an inexperienced programmer who has slightly modified the original code but had not added any new functions or behaviors.

"Studying the evolution of Sasser, the fact that variant F does not include any new features confirms that it is the work of a different person," Corrons said.

The code and some messages hidden inside the original Sasser worm indicate its authors are , which has led many experts to question if the German teenager could be solely responsible for the Sasser outbreak.

David Kopp, head of Trend Micro's European research labs, said he doubts that the teenager in police custody could have been solely responsible for the Sasser worm because there have been around 30 of Netsky since mid-February.

"For just one guy, this is a lot of work. We are not sure that the German teenager is the real virus writer—it's more likely to be a group of virus writers," he said.

Kevin Hogan, senior manager at Symantec Security Response, said that even if there are new variants of Sasser or other malware that exploits the Windows vulnerability, such as the Cycle worm, are unlikely to cause any damage because most businesses have either applied the relevant Windows patch or are using an up-to-date antivirus application.

"The Sassers out there are not really spreading any more and the Cycle worm uses the same vulnerability as Sasser, so it has gone nowhere. People are probably patching to protect themselves against Sasser—that's why we are seeing very little of Cycle," Hogan said.

Munir Kotadia of reported from London.

Editor's Picks

Free Newsletters, In your Inbox