Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Quick Sasser virus test?

Reply
Thread Tools

Quick Sasser virus test?

 
 
Ionizer
Guest
Posts: n/a
 
      05-04-2004
"Murgi" <(E-Mail Removed)-net.ne.jp> wrote in message
news:(E-Mail Removed) senet.com...
> Is there a URL were I can quickly check whether one of my computers is
> afflicted with the Sasser worm? 2 of my machines have become slow...
> I use anti virus software and a firewall, however.


Run the Symantec removal tool:
http://securityresponse.symantec.com...oval.tool.html

--
Ian.


 
Reply With Quote
 
 
 
 
Murgi
Guest
Posts: n/a
 
      05-04-2004
Is there a URL were I can quickly check whether one of my computers is
afflicted with the Sasser worm? 2 of my machines have become slow...
I use anti virus software and a firewall, however.


Murgi


 
Reply With Quote
 
 
 
 
=?UTF-8?B?UGFsaW5kcuKYu21l?=
Guest
Posts: n/a
 
      05-04-2004
Murgi wrote:

> Is there a URL were I can quickly check whether one of my computers is
> afflicted with the Sasser worm? 2 of my machines have become slow...
> I use anti virus software and a firewall, however.
>
>
> Murgi
>
>

http://www.microsoft.com/security/incident/sasser.asp
Hope it doesn't help - if you know what I mean
 
Reply With Quote
 
°Mike°
Guest
Posts: n/a
 
      05-04-2004
The Sasser worm attempts to exploit the LSASS vulnerability
discussed in Microsoft Security Bulletin MS04-011. To kill
the worm before proceeding, boot into Safe Mode and
start your registry editor:
Start / Run / regedit

Navigate to:
HKEY_LOCAL_MACHINE
+Software
+Microsoft
+Windows
+CurrentVersion
+Run

In the right-hand pane, look for any entry/ies that include
AVSERVE.EXE, AVSERVE2.EXE, SKYNETAVE.EXE .

DELETE it/them.
These are the files associated with the different variants:
Variant A - avserve.exe
Variant B - avserve2.exe
Variant C - avserve2.exe
Variant D - skynetave.exe

You have now disabled the worm from running at startup, so
boot into normal mode again, and turn off ALL system restores
to purge your system of any remnants.

Open Windows Explorer to the
..\Windows\
or
..\WinNT\
folder and DELETE *any* of the files named above.

Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
folder and find the reference to the above file/s (any reference
will be similar to: <filename.exe>-<alphanumerics>.PF), for
example, avserve.exe-0235D8H6.pf, and DELETE it/them.

Update your virus scanner and run a FULL system scan.

Now you can download and install the patch from Microsoft.
Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/sec.../MS04-011.mspx

What You Should Know About the Sasser Worm and It Variants
http://www.microsoft.com/security/incident/sasser.asp

Sasser A and Sasser B removal tool
http://www.microsoft.com/downloads/d...4-9fa42d14cc17

Shorter link to above removal tool:
http://makeashorterlink.com/?I14942538

W32.Sasser.Worm
http://www.sarc.com/avcenter/venc/da...sser.worm.html

W32.Sasser.B.Worm
http://www.sarc.com/avcenter/venc/da...er.b.worm.html

W32.Sasser.C.Worm
http://www.sarc.com/avcenter/venc/da...er.c.worm.html

W32.Sasser.D.Worm
http://www.symantec.com/avcenter/ven....sasser.d.html

Some users have also stated that the Sasser worm removes the shutdown
button from the Start menu. If you find this to be the case, start your
registry editor:

Start \ Run \ regedit

Navigate to:

HKEY_CURRENT_USER
+Software
+Microsoft
+Windows
+CurrentVersion
+Policies
+Explorer

In the right-hand window, look for:
"NoClose" with a value of 0x0000001 (1)

If the entry exists, double-click on it, and change the
value to 0 (zero).


On Tue, 04 May 2004 22:48:32 GMT, in
<(E-Mail Removed) t.com>
Murgi scrawled:

>Is there a URL were I can quickly check whether one of my computers is
>afflicted with the Sasser worm? 2 of my machines have become slow...
>I use anti virus software and a firewall, however.
>
>
>Murgi
>


--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html
 
Reply With Quote
 
Stickems
Guest
Posts: n/a
 
      05-05-2004
Surely a restore would remove this worm?

"°Mike°" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> The Sasser worm attempts to exploit the LSASS vulnerability
> discussed in Microsoft Security Bulletin MS04-011. To kill
> the worm before proceeding, boot into Safe Mode and
> start your registry editor:
> Start / Run / regedit
>
> Navigate to:
> HKEY_LOCAL_MACHINE
> +Software
> +Microsoft
> +Windows
> +CurrentVersion
> +Run
>
> In the right-hand pane, look for any entry/ies that include
> AVSERVE.EXE, AVSERVE2.EXE, SKYNETAVE.EXE .
>
> DELETE it/them.
> These are the files associated with the different variants:
> Variant A - avserve.exe
> Variant B - avserve2.exe
> Variant C - avserve2.exe
> Variant D - skynetave.exe
>
> You have now disabled the worm from running at startup, so
> boot into normal mode again, and turn off ALL system restores
> to purge your system of any remnants.
>
> Open Windows Explorer to the
> ..\Windows\
> or
> ..\WinNT\
> folder and DELETE *any* of the files named above.
>
> Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
> folder and find the reference to the above file/s (any reference
> will be similar to: <filename.exe>-<alphanumerics>.PF), for
> example, avserve.exe-0235D8H6.pf, and DELETE it/them.
>
> Update your virus scanner and run a FULL system scan.
>
> Now you can download and install the patch from Microsoft.
> Microsoft Security Bulletin MS04-011
> http://www.microsoft.com/technet/sec.../MS04-011.mspx
>
> What You Should Know About the Sasser Worm and It Variants
> http://www.microsoft.com/security/incident/sasser.asp
>
> Sasser A and Sasser B removal tool
>

http://www.microsoft.com/downloads/d...4-9fa42d14cc17
>
> Shorter link to above removal tool:
> http://makeashorterlink.com/?I14942538
>
> W32.Sasser.Worm
> http://www.sarc.com/avcenter/venc/da...sser.worm.html
>
> W32.Sasser.B.Worm
> http://www.sarc.com/avcenter/venc/da...er.b.worm.html
>
> W32.Sasser.C.Worm
> http://www.sarc.com/avcenter/venc/da...er.c.worm.html
>
> W32.Sasser.D.Worm
> http://www.symantec.com/avcenter/ven....sasser.d.html
>
> Some users have also stated that the Sasser worm removes the shutdown
> button from the Start menu. If you find this to be the case, start your
> registry editor:
>
> Start \ Run \ regedit
>
> Navigate to:
>
> HKEY_CURRENT_USER
> +Software
> +Microsoft
> +Windows
> +CurrentVersion
> +Policies
> +Explorer
>
> In the right-hand window, look for:
> "NoClose" with a value of 0x0000001 (1)
>
> If the entry exists, double-click on it, and change the
> value to 0 (zero).
>
>
> On Tue, 04 May 2004 22:48:32 GMT, in
> <(E-Mail Removed) t.com>
> Murgi scrawled:
>
> >Is there a URL were I can quickly check whether one of my computers is
> >afflicted with the Sasser worm? 2 of my machines have become slow...
> >I use anti virus software and a firewall, however.
> >
> >
> >Murgi
> >

>
> --
> Basic computer maintenance
> http://uk.geocities.com/personel44/maintenance.html



 
Reply With Quote
 
dark elf
Guest
Posts: n/a
 
      05-05-2004

"Stickems" <(E-Mail Removed)> wrote in message
news:cL3mc.22$(E-Mail Removed)...
> Surely a restore would remove this worm?
>
> Yeah, but the only way to actually prevent it from infecting your system

again is to download the security patch provided through Microsoft. The
only people that are getting hit with this are people who don't load their
critical updates for Windows. Microsoft had the patch on their website long
before the virus actually hit the 'net.


 
Reply With Quote
 
°Mike°
Guest
Posts: n/a
 
      05-05-2004
Not necessarily. A restore only replaces system
files, and a restore, in itself, may be infected.
That is NOT the way to go.


On Wed, 5 May 2004 11:56:14 +0100, in
<cL3mc.22$(E-Mail Removed)>
Stickems scrawled:

>Surely a restore would remove this worm?
>
>"°Mike°" <(E-Mail Removed)> wrote in message
>news:(E-Mail Removed)...
>> The Sasser worm attempts to exploit the LSASS vulnerability


<snip>

--
Basic computer maintenance
http://uk.geocities.com/personel44/maintenance.html
 
Reply With Quote
 
Brad
Guest
Posts: n/a
 
      05-10-2004
"dark elf" <evil.hades(BLAH)@charter.net> wrote in message news:<(E-Mail Removed)>...
> "Stickems" <(E-Mail Removed)> wrote in message
> news:cL3mc.22$(E-Mail Removed)...
> > Surely a restore would remove this worm?
> >
> > Yeah, but the only way to actually prevent it from infecting your system

> again is to download the security patch provided through Microsoft. The
> only people that are getting hit with this are people who don't load their
> critical updates for Windows. Microsoft had the patch on their website long
> before the virus actually hit the 'net.


Great idea but one problem. Of the 300 HP laptops we have in the field
200 are a particular model. When the security patch KB835732 is
applied that system 'hangs' when it is rebooted. We have acquired and
applied hot fix KB841382 it also causes those models to hang on
reboot. So we either have a system that won't reboot, or a system that
reboots after being connected to the Internet for between 5 minutes
and 3+ hours. HP says it is a Microsoft issue and Microsoft has
suggested that we block port 445. Anyone know how to do this on a
dial-up?
Back to the original subject, in order to test whatever suggestion
that MS or HP come up with it would help a lot to have a way to test
it immediately instead of waiting for 3 hours and guessing that it
must be fixed.
Thanks!
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sasser worm virus problem on a friend's PC Justin Computer Information 8 10-15-2004 03:35 PM
I think i Can humans catch it? may have the Sasser worm Virus billybronco Computer Support 4 07-02-2004 07:02 PM
Removal tool for Sasser.A & Sasser.B Brett Roberts NZ Computing 2 05-14-2004 12:56 AM
Sasser-quick question Mary Computer Support 12 05-07-2004 05:26 PM
Sasser worm Gareth not NLL or anybody else. Computer Support 0 05-01-2004 12:59 PM



Advertisments