NEWS FROM THE LAB - Sunday, May 2, 2004

Sasser.B Posted by Mikko @ 06:25 GMT

We're now getting reports of both Sasser.A and Sasser.B.

The B variant was also found during yesterday. This is when got the first reports of these variants:
- Sasser.A around 02:00 GMT on May 1st
- Sasser.B around 16:00 GMT on May 1st

Both are detected by current F-Secure Antivirus updates, but the most important thing right now is to get the latest patches from Microsoft.

Sasser.B is a minor variant of Sasser.A, with identical length and functionality. The binary image looks different and the dropped filename has been changed from AVSERVE.EXE to AVSERVE2.EXE. Also the logfile name is now WIN2.LOG instead of WIN.LOG.

Microsoft has posted information on the case, with step-by-step mitigation instructions: