Sasser worm infection

I recently reformatted the hard drive on my mum's pc which had been
running WinMe & then installed WinXP. Due to a problem with a modem
driver, I only got around to getting her internet connection up today &
as soon as the modem connected, I went to the YahooUK homepage from
where she could have a quick look at her webmail!
Almost imediately, strange things started to happen including
freezes & Zone alarm asking for connection permissions for executables
that I didn't recognise so I swtched off the pc & rebooted. Zone alarm
asked for connection permissions for everything that I'd previously
given permission to (such as the browser, etc)along with the
unrecognised programs (one of which was avserve2.exe)so I switched off
again & asked her to leave it alone until I could chheck this out!
Upon returning home, I googled for info & am pretty sure that she
has the Sasser worm in one of its various guises!
Being new to all of this pc stuff, I'm intrigued as to how she's
managed to pick this up. Is it possible that she'd been infected whilst
using WinMe & that the infrection remained within the pc throughout the
reformatting & installation of a new OS or is it more likely that the pc
was infected in the few minute that it was connected to the internet
after the installation of XP & if so, how could it have been infected
from the two sites visited (Mozilla.org & YahooUK).
I know that I'm just asking for speculation but I'd be grateful for
any feelings upon this as it'd help me in my education on computer
security in general to be able to comprehend the abilitles of these
nasty pieces of malicious code! Thanks in advance & as always, I look
forwards to hearing you opinions & furthering my knowledge of these things!

Tim Lister

Tim Lister wrote:

> I recently reformatted the hard drive on my mum's pc which had been
> running WinMe & then installed WinXP. Due to a problem with a modem
> driver, I only got around to getting her internet connection up today &
> as soon as the modem connected, I went to the YahooUK homepage from
> where she could have a quick look at her webmail!
> Almost imediately, strange things started to happen including freezes
> & Zone alarm asking for connection permissions for executables that I
> didn't recognise so I swtched off the pc & rebooted. Zone alarm asked
> for connection permissions for everything that I'd previously given
> permission to (such as the browser, etc)along with the unrecognised
> programs (one of which was avserve2.exe)so I switched off again & asked
> her to leave it alone until I could chheck this out!
> Upon returning home, I googled for info & am pretty sure that she
> has the Sasser worm in one of its various guises!
> Being new to all of this pc stuff, I'm intrigued as to how she's
> managed to pick this up. Is it possible that she'd been infected whilst
> using WinMe & that the infrection remained within the pc throughout the
> reformatting & installation of a new OS or is it more likely that the pc
> was infected in the few minute that it was connected to the internet
> after the installation of XP & if so, how could it have been infected
> from the two sites visited (Mozilla.org & YahooUK).
> I know that I'm just asking for speculation but I'd be grateful for
> any feelings upon this as it'd help me in my education on computer
> security in general to be able to comprehend the abilitles of these
> nasty pieces of malicious code! Thanks in advance & as always, I look
> forwards to hearing you opinions & furthering my knowledge of these things!
>
Having done abit of reading up, I've come to the conclusion that the
worm couldn't have been lurking somewhere on my mums pc as she was
running WinMe which wouldn't have had the exploit available for the
worm! Therefore, during the two minutes (at most!) that the pc was
connected to the default homepage of the browser & YahooUK, my mum's pc
must've been scanned (presumably at random)by an infected machine which,
having discovered the "virgin" installation of WinXP without the LSASS
vulnerability patched, then proceeded to download the worm by FTP!
Having seen that the dial-up connection was configured properly, I
then shut it down & installed Zone Alarm which would've stopped all of
this assuming that I'd realised what the programs involved were!
Is this the most feasable explanation? Is it really possible that
connecting to the internet for only two minutes without a firewall
could've led to this worm infection & would the firewall have helped me
prevent this? It was literally only minutes & no surfing as such was
done! Vorsprung durch technik, is all I can think of saying!!!
At least it looks as though it'll be fairly trivial to remove the
infection & return my mums pc to the fresh, trouble free installation
that I origionally promised her! It amazes me how nasty & sophisticated
this stuff is getting. If my analysis is correct then it appears as
though you no longer need to be fooled into running dubious attachments
to an e-mail or even to do any dodgy surfing!! Thanks for any opinions!

Tim Lister

Are you using an anti-virus program?

Do an online scan first:
Online Scanner
http://housecall.trendmicro.com

Then select an AV program if you don't have one:
http://www.wilders.org/index.htm
or
http://www.anti-virus-software-review.com/

Netuser 58


Tim Lister wrote:
> Tim Lister wrote:
>
>> I recently reformatted the hard drive on my mum's pc which had been
>> running WinMe & then installed WinXP. Due to a problem with a modem
>> driver, I only got around to getting her internet connection up today
>> & as soon as the modem connected, I went to the YahooUK homepage from
>> where she could have a quick look at her webmail!
>> Almost imediately, strange things started to happen including
>> freezes & Zone alarm asking for connection permissions for executables
>> that I didn't recognise so I swtched off the pc & rebooted. Zone alarm
>> asked for connection permissions for everything that I'd previously
>> given permission to (such as the browser, etc)along with the
>> unrecognised programs (one of which was avserve2.exe)so I switched off
>> again & asked her to leave it alone until I could chheck this out!
>> Upon returning home, I googled for info & am pretty sure that she
>> has the Sasser worm in one of its various guises!
>> Being new to all of this pc stuff, I'm intrigued as to how she's
>> managed to pick this up. Is it possible that she'd been infected
>> whilst using WinMe & that the infrection remained within the pc
>> throughout the reformatting & installation of a new OS or is it more
>> likely that the pc was infected in the few minute that it was
>> connected to the internet after the installation of XP & if so, how
>> could it have been infected from the two sites visited (Mozilla.org &
>> YahooUK).
>> I know that I'm just asking for speculation but I'd be grateful for
>> any feelings upon this as it'd help me in my education on computer
>> security in general to be able to comprehend the abilitles of these
>> nasty pieces of malicious code! Thanks in advance & as always, I look
>> forwards to hearing you opinions & furthering my knowledge of these
>> things!
>>
> Having done abit of reading up, I've come to the conclusion that the
> worm couldn't have been lurking somewhere on my mums pc as she was
> running WinMe which wouldn't have had the exploit available for the
> worm! Therefore, during the two minutes (at most!) that the pc was
> connected to the default homepage of the browser & YahooUK, my mum's pc
> must've been scanned (presumably at random)by an infected machine which,
> having discovered the "virgin" installation of WinXP without the LSASS
> vulnerability patched, then proceeded to download the worm by FTP!
> Having seen that the dial-up connection was configured properly, I
> then shut it down & installed Zone Alarm which would've stopped all of
> this assuming that I'd realised what the programs involved were!
> Is this the most feasable explanation? Is it really possible that
> connecting to the internet for only two minutes without a firewall
> could've led to this worm infection & would the firewall have helped me
> prevent this? It was literally only minutes & no surfing as such was
> done! Vorsprung durch technik, is all I can think of saying!!!
> At least it looks as though it'll be fairly trivial to remove the
> infection & return my mums pc to the fresh, trouble free installation
> that I origionally promised her! It amazes me how nasty & sophisticated
> this stuff is getting. If my analysis is correct then it appears as
> though you no longer need to be fooled into running dubious attachments
> to an e-mail or even to do any dodgy surfing!! Thanks for any opinions!
>

Netuser 58

<snip>
>Is it really possible that
> connecting to the internet for only two minutes without a firewall
> could've led to this worm infection & would the firewall have helped
> me prevent this?

Yes being infected with Sasser can happen that fast. Just like with Blaster
and Welchia, it takes no more than a minute or so.. and yes having a
firewall would prevent this.

It was literally only minutes & no surfing as such
> was done! Vorsprung durch technik, is all I can think of saying!!!
> At least it looks as though it'll be fairly trivial to remove the
> infection & return my mums pc to the fresh, trouble free installation
> that I origionally promised her! It amazes me how nasty &
> sophisticated this stuff is getting. If my analysis is correct then
> it appears as though you no longer need to be fooled into running
> dubious attachments to an e-mail or even to do any dodgy surfing!!
> Thanks for any opinions!

Here is a list of Security patches to install on your mother's computer as
well as the necessary virus removal tools from Symantec. Get a firewall, any
firewall on to that system (except for XP's built-in firewall, if you can
even call it a firewall) KB828741 is the patch to protect from Blaster and
Welchia worms, and KB840374 is for Sasser.

Hope this solves it, reply and let me know what happened.

--
Windows Critical Security Patches:

KB828741:

Windows XP:
http://download.microsoft.com/downlo...41-x86-ENU.EXE

Windows 2000:
http://download.microsoft.com/downlo...41-x86-ENU.EXE

KB840374:

Windows XP:
http://download.microsoft.com/downlo...74-x86-ENU.EXE

Virus Removal Tools:

Blaster: http://securityresponse.symantec.com...r/FixBlast.exe

Welchia: http://www.symantec.com/avcenter/FixWelch.exe

Netsky: http://securityresponse.symantec.com...r/FxNetsky.exe

Sasser: http://securityresponse.symantec.com...r/FxSasser.exe

The Prophecy

The Prophecy wrote:

> <snip>
>
>>Is it really possible that
>>connecting to the internet for only two minutes without a firewall
>>could've led to this worm infection & would the firewall have helped
>>me prevent this?
>
>
> Yes being infected with Sasser can happen that fast. Just like with Blaster
> and Welchia, it takes no more than a minute or so.. and yes having a
> firewall would prevent this.
>
> It was literally only minutes & no surfing as such
>
>>was done! Vorsprung durch technik, is all I can think of saying!!!
>> At least it looks as though it'll be fairly trivial to remove the
>>infection & return my mums pc to the fresh, trouble free installation
>>that I origionally promised her! It amazes me how nasty &
>>sophisticated this stuff is getting. If my analysis is correct then
>>it appears as though you no longer need to be fooled into running
>>dubious attachments to an e-mail or even to do any dodgy surfing!!
>>Thanks for any opinions!
>
>
> Here is a list of Security patches to install on your mother's computer as
> well as the necessary virus removal tools from Symantec. Get a firewall, any
> firewall on to that system (except for XP's built-in firewall, if you can
> even call it a firewall) KB828741 is the patch to protect from Blaster and
> Welchia worms, and KB840374 is for Sasser.
>
> Hope this solves it, reply and let me know what happened.
>
I will let you all know how I get on but unfortunately my mum's away for
the week so it'll be a few days before I can get onto her machine &
clear up the mess that I've made! I fell a right fool having promised
her that an upgrade from WinMe to XP would really help out her pc (it
was in a real state)& the first thing that I manage to do after
installing the chipset drivers....catch the bloody sasser worm! At least
I knew what it was almost immediately as I'd read that it was the LSASS
process that contained the vulnerability so when I saw that crashing &
shutting down along with all sorts of unrecognised processes asking for
internet access, even a reletive novice like myself managed to work out
what was behind it! Thanks for the advice & I will keep you informed!

Tim Lister

The Prophecy wrote:

> <snip>
>
>>Is it really possible that
>>connecting to the internet for only two minutes without a firewall
>>could've led to this worm infection & would the firewall have helped
>>me prevent this?
>
>
> Yes being infected with Sasser can happen that fast. Just like with Blaster
> and Welchia, it takes no more than a minute or so.. and yes having a
> firewall would prevent this.
>
> It was literally only minutes & no surfing as such
>
>>was done! Vorsprung durch technik, is all I can think of saying!!!
>> At least it looks as though it'll be fairly trivial to remove the
>>infection & return my mums pc to the fresh, trouble free installation
>>that I origionally promised her! It amazes me how nasty &
>>sophisticated this stuff is getting. If my analysis is correct then
>>it appears as though you no longer need to be fooled into running
>>dubious attachments to an e-mail or even to do any dodgy surfing!!
>>Thanks for any opinions!
>
>
> Here is a list of Security patches to install on your mother's computer as
> well as the necessary virus removal tools from Symantec. Get a firewall, any
> firewall on to that system (except for XP's built-in firewall, if you can
> even call it a firewall) KB828741 is the patch to protect from Blaster and
> Welchia worms, and KB840374 is for Sasser.
>
> Hope this solves it, reply and let me know what happened.
>
All sorted easily thanks to the tools that you directed me to! The worm
seemed to consist of an exe, a harmless txt file & a registry entry to
run it on start up, so there wasn't much to get rid of; it turned out to
be the B variant which I understand can exist on 9X installs infecting
other pc's but it couldn't crash the OS until the LSASS vulnerability
was present! Its more likely to have installed itself durning the modem
testing after the fresh install though as I don't see that it'd survive
the format & install of the WinXP OS, although as I said, this is all
new stuff to me so I'm just guessing! It's really reassuring to be able
to ask opinions from experts though to ensure that I was on the correct
track & to give me the confidence to remove it, etc so thanks for the
advice!

Tim Lister