sasser virus (was Re: [unisog] student fees for cleaning.)

Jason Richardson a00jer1 at
Fri May 7 20:20:29 GMT 2004

Sasser was more or less a non-event for us as well (at least for
everyone but me and a couple of other people), also on a network of 8000
or so machines.  I ended up blocking 6 infected machines on our
residence hall network and they were all on the same subnet where they
probably infected each other quickly.  Ports 135-139, 445, 5554, 9996,
and 31337 are all blocked at the border, between our res hall network
and our admin network, and between our dial-ups and wireless network and
our admin network.  We also learned some valuable lessons after Blaster
and Nachi/Welchia (like not forgetting to block those ports for the
dial-ups and wireless) and I have been nagging people mercilessly since
4/13 when the latest patches came out.  Even so, we had hundreds of
unpatched machines on our network so I consider us lucky that we didn't
have a major problem.  Hopefully we'll have the same experience with the
Sasser/Netsky combo worm that I see experts predicting is coming.

Jason Richardson, J.D., CISSP, CISM, CNE5
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich at

>>> vanepp at 5/7/2004 2:49:58 PM >>>
> Additionally, rumor has it that the University Utah only had some
> ridiculously small number of sasser infections?  Anyone here from
> who can help the rest of us who had quite a larger number
> infections?
> Regards,
> -Peter
> -- 
> Peter Moody                             <peter at>
> Information Security Administrator      831/459.5409
> Communications and Technology Services. UC, Santa Cruz.
> :wq

	While I'm not from the U of Utah, sasser here was a non event.
were 5 or 7 machines hit last week sometime in one day and then 1 and
2s as
people bring in laptops or dial in from home among our 8,000+
	Ports 135, 137, 139, 445 are blocked in and out at the border
attempting to scan out is logged and whacked) is presumably the reason
we didn't see a large number of infections. 500 or so machines (and
months of recovery) from blaster may have also helped convince those 
responsible for the machines that 1) an infection will get caught and
access will be removed, and 2) the pain of 1) isn't worth it :-).
Thanks to 
you kind beta testers on unisog they also got several warnings that
was coming.
	Argus outside my border isn't even seeing an abnormal amount of

scanning from external sources.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
unisog mailing list
unisog at

More information about the unisog mailing list