At least two new versions of a malicious computer worm that appeared late Friday were circulating on the Internet Monday, according to computer security experts and anti-virus software companies.

New variations of the Sasser Internet worm, named Sasser.B and Sasser.C were identified by anti-virus companies, just days after the first version of the new worm appeared. Despite the new versions, anti-virus experts said that Sasser outbreak has likely peaked, and expected the rate of new infections to slow on Monday.

Sasser exploits a recently disclosed hole in a component of Microsoft's Windows operating system called the Local Security Authority Subsystem Service, or LSASS. Microsoft released a software patch, MS04-011, on April 13.

Sasser is similar to an earlier worm, Blaster, because users do not need to receive an e-mail message or open a file to be infected. Instead, just having a vulnerable Windows machine connected to the Internet with communications port number 445 is enough to catch Sasser.

After appearing Friday, the worm spread quickly around the world, and may have infected a few hundred thousand machines, said Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center, which monitors malicious activity on the Internet.

Given the large number of vulnerable computers that have been infected by Sasser, a Windows machine connected to the Internet could be infected in as little as two minutes, said Graham Cluley, senior technology consultant at anti-virus company Sophos.

Early versions of the worm spread slowly, however, especially compared to the rapid proliferation of Blaster, which appeared in August and peaked just hours after its release, Cluley and Ullrich said.

By comparison, Sasser.A contained features that prevented it from rapidly scanning the Internet for other vulnerable hosts and at first appeared to be a low-level threat. However, new versions of the worm that appeared over the weekend, especially Sasser.C, improved on failures in Sasser.A, allowing infected machines to scan for many more infected hosts, Ullrich said.

Sasser's spread was also slowed because it relied on port 445, which has long been a target of malicious threats, such as Agobot, a prolific Trojan program. As a result, many companies blocked access to port 445 long before Sasser appeared, Joe Stewart, senior security researcher at LURHQ, a managed security services provider in Myrtle Beach, S.C.

The IDG News Service is a Network World affiliate.