First detected over the weekend, the worm on Tuesday had already infected, by some estimates, over one million PCs and knocked out computer systems at banks, transport reservation systems and at European Commission offices.
Unlike previous Internet worms, Sasser infects vulnerable PCs without any action by the user like opening attachments, allowing it to spread very quickly.
Home users would likely first notice an infection if their computer mysteriously rebooted or their Internet connection slowed dramatically.
Because of its nature, security experts were warning users to update their PCs with the latest Microsoft patches and install a firewall to keep out future infections.
With businesses throughout parts of Europe returning from the long holiday weekend on Tuesday, anti-virus technicians were expecting a new wave of infections.
“It’s still going steady. It will be a big problem for a day or two, then it will linger on the Internet for weeks, and likely years,” said Mikko Hypponen, Anti-Virus Research Director at Finnish data security firm F-Secure.
Because Sasser seeks out infectable computers automatically and does not use e-mail to spread, experts said personal machines may be most vulnerable.
Security experts are analysing the worm to determine where Sasser might hit next.
“It’s still going steady. It will be a big problem for a day or two, then it will linger on the Internet for weeks, and likely years”
“We don’t know yet, for example, if it attacks machines running on Windows XP Embedded, which runs ATM machines and cash registers. That would be disastrous for banks and retailers,” said Raimund Genes, European president of security software firm Trend Micro.
In the space of three days, four variants have emerged, each capable of causing machines that run on Microsoft’s Windows operating systems XP, NT and 2000 to reboot without warning and knocking out some computer reservation systems.
Victims include Goldman Sachs, Australia‘s Westpac Bank and Finnish financial company Sampo.
US carrier Delta Air Lines also suffered a computer glitch on Saturday, causing delays and cancellations, but the company was unsure whether Sasser was the culprit.
Sasser attacks an exploit in Windows known as the Local Security Authority Subsystem Service, or LSASS, which had been targeted in a Microsoft security update released on 13 April.
F-Secure’s Hypponen said the emergence of a related e-mail virus on Monday called Netsky.AC may hold clues to the authorship of Sasser. Netsky.AC carries an attachment purporting to fix Sasser infections.
Since spotting Netsky.AC, Hypponen and other security officials suspect Sasser was programmed by a group believed to be based in Russia calling itself the “Skynet anti-virus group”.
A link on Microsoft’s home page instructs users to make sure that they have installed a protective firewall, updated Windows to close the security loophole the worm exploits and then remove the worm from their hard drives.