As the Sasser worm rolled across the Internet Monday, users scrambled to patch systems and clean up infected machines.
The first chore is to install a firewall if one isn't already present on the network or an individual PC. Like the MSBlast worm of last summer, Sasser infects systems without any human intervention, can spot a vulnerable machine quickly while it's online, and can cause the machine to constantly reboot, making it difficult to retrieve the fix.
The long-term defense against Sasser, said security analysts, is to apply the patch against the LSASS vulnerability on Windows XP, Windows 2000, and Windows Server 2003 systems. (But as noted last week, the patch is itself flawed, and can make some Windows 2000 machines to crash at startup; Microsoft has yet to deploy a patched patch.)
Microsoft first released the patch for the LSASS vulnerability April 13 as part of its monthly round of security alerts. The patch can be retrieved using the Windows Update service, or downloaded directly from the Security Bulletin MS04-011.
Users can also filter traffic targeting UDP ports 135, 137, 138, and 445, as well as TCP ports 135, 139, 445, 593, and any ports above 1024, said Symantec in its analysis and advisory for Sasser. Companies should also monitor incoming traffic for packets targeting TCP port 9996 -- the port an infected machine uses to await a connection from the attacker -- and outgoing traffic destined for TCP port 5554, which is the port used by the FTP server that Sasser installs on compromised systems.