Sasser.D Worm Arrives, Ready to Do Damage:
"A fourth version of Sasser has the potential to cause serious slowdowns and outages; a hoax e-mail claiming to contain a fix for the worm in fact contains a version of the NetSky worm.…"

Sasser.D appeared Monday afternoon and is similar to the previous three versions in most respects. The main difference in the new variant is that it uses ICMP echo requests, also known as pings, to look for other machines to infect. The Nachi worm of last summer had the same capability and, on networks with a number of vulnerable machines, the worm caused severe congestion.

The new Sasser variant could cause the same problems, experts warn. And, Sasser.D can scan multicast addresses, which has led to it causing some destabilization of routers that handle multicast traffic, analysts at The SANS Institute in Bethseda, Md., said.

Sasser.D also uses a different name for the file it leaves on infected PCs: Skynetave.exe. And it creates a remote shell on TCP port 9995, instead of 9996, which is used by the other three variants.

In addition to the new variant, there also is a hoax e-mail circulating that claims to contain a fix for Sasser. The message actually contains a new version of the NetSky worm.…

http://www.eweek.com/article2/0,1759,1584121,00.asp?kc=ewnws050404dtx1k0000599