Despite the arrest of an 18-year-old German who confessed to releasing the Sasser worm, antivirus companies discovered a fifth version of the Sasser variant. That variant, Sasser.E, attempts to warn people whose computers are vulnerable that their systems have not been patched for a widespread Microsoft Windows vulnerability exploited by the program.
While antivirus experts are not positive whether Sasser.E started spreading before or after the arrest, Microsoft said it believes that the fifth version of the worm was released four days before the teenager was arrested. A subsequent but less formidable variant appeared midweek.
Computers compromised by the Sasser worm may be vulnerable to a scavenging program that exploits a flaw in the software left behind by the worm. The worm–dubbed Dabber–has started spreading to Microsoft Windows systems but likely won’t have a large impact.
Dabber may be the first worm to attack systems, using a flaw in a previous malicious program. In this case, the File Transfer Protocol (FTP) server installed by Sasser to enable the worm to transfer itself to new hosts has a buffer overflow vulnerability. Dabber uses that security flaw to spread to the new machine.