Help please with Sasser Worm

Discussion in 'Computer Support' started by Classic 42, May 10, 2004.

  1. Classic 42

    Classic 42 Guest

    A semi-computer literate friend of mine is running Win XP Home, without a
    firewall or anti-virus program. The PC is infected with the Sasser Worm. He
    has asked me to help him remove the worm. I run Win 98(2) and am not really
    conversant with Win XP Home.
    I have downloaded and have on floppy the Symantec Sasser Fix, I also have on
    CD the MS Security Patch MS04-011.MSPX. and Zone Alarm. I can boot into safe
    mode.
    I know how to disable system restore and how to enable XP firewall, I know
    how to stop certain running processes, but do not know which ones to leave.
    Is it better to leave XP firewall enabled or disable it and install Zone
    Alarm? Step by step help would be very much appreciated in my endeavours to
    help my friend.
    Thanks in advance.
    Classic 42.
     
    Classic 42, May 10, 2004
    #1
    1. Advertising

  2. Classic 42

    Avenger© Guest

    On Mon, 10 May 2004 09:46:20 +0000 (UTC), "Classic 42"
    <> wrote:

    >A semi-computer literate friend of mine is running Win XP Home, without a
    >firewall or anti-virus program. The PC is infected with the Sasser Worm. He
    >has asked me to help him remove the worm. I run Win 98(2) and am not really
    >conversant with Win XP Home.
    >I have downloaded and have on floppy the Symantec Sasser Fix, I also have on
    >CD the MS Security Patch MS04-011.MSPX. and Zone Alarm. I can boot into safe
    >mode.
    >I know how to disable system restore and how to enable XP firewall, I know
    >how to stop certain running processes, but do not know which ones to leave.
    >Is it better to leave XP firewall enabled or disable it and install Zone
    >Alarm? Step by step help would be very much appreciated in my endeavours to
    >help my friend.
    >Thanks in advance.
    >Classic 42.
    >
    >


    You might want to download a copy of Stinger from here:
    http://vil.nai.com/vil/stinger/

    It not only removes Sasser, but many other viruses. Plus it will fit
    on a floppy and it's also free. Follow the directions on the Stinger
    website re turning off system restore in XP.

    IMO, ZoneAlarm is a far better firwewall than XP's, as the XP firewall
    does not give any indication of which program/s are trying to access
    the internet.

    Your friend NEEDS an antivirus prog installed without question. It
    should also be updated regularly (at least daily in some cases).
    Having a computer connected to the net/email without antivirus, is
    akin to bungy jumping without the bungy attached to the ankles!!!

    HTH
    --

    "Put the CAT out to reply"
    *I DETEST Spam - A Spam Hater since 1951*
     
    Avenger©, May 10, 2004
    #2
    1. Advertising

  3. Classic 42 wrote:

    > A semi-computer literate friend of mine is running Win XP Home, without a
    > firewall or anti-virus program. The PC is infected with the Sasser Worm. He
    > has asked me to help him remove the worm. I run Win 98(2) and am not really
    > conversant with Win XP Home.
    > I have downloaded and have on floppy the Symantec Sasser Fix, I also have on
    > CD the MS Security Patch MS04-011.MSPX. and Zone Alarm. I can boot into safe
    > mode.
    > I know how to disable system restore and how to enable XP firewall, I know
    > how to stop certain running processes, but do not know which ones to leave.
    > Is it better to leave XP firewall enabled or disable it and install Zone
    > Alarm? Step by step help would be very much appreciated in my endeavours to
    > help my friend.
    > Thanks in advance.
    > Classic 42.
    >
    >
    >

    I suggest that you collect 24 hours worth of replies before
    you do anything :- many of the experts on this area that
    contribute to the group are scatttered around the World and
    won't reply for some hours.

    In the meantime, you could do a Google search on this
    newsgroup as the subject has been aired quite a lot in
    recent days.

    Sorry I can't help more but you are one up on me - I could
    only give you theory, having not actually had a
    Sasser-infected machine to practice on.
     
    =?UTF-8?B?UGFsaW5kcuKYu21l?=, May 10, 2004
    #3
  4. Classic 42

    Parko Guest

    Classic 42 wrote:

    > A semi-computer literate friend of mine is running Win XP Home, without a
    > firewall or anti-virus program. The PC is infected with the Sasser Worm. He
    > has asked me to help him remove the worm. I run Win 98(2) and am not really
    > conversant with Win XP Home.
    > I have downloaded and have on floppy the Symantec Sasser Fix, I also have on
    > CD the MS Security Patch MS04-011.MSPX. and Zone Alarm. I can boot into safe
    > mode.
    > I know how to disable system restore and how to enable XP firewall, I know
    > how to stop certain running processes, but do not know which ones to leave.
    > Is it better to leave XP firewall enabled or disable it and install Zone
    > Alarm? Step by step help would be very much appreciated in my endeavours to
    > help my friend.
    > Thanks in advance.
    > Classic 42.
    >
    >
    >

    Ask your friend if their car is left unlocked and house/flat/apartment
    open. A computer is the same. Follow the link. Easy.
    http://www.microsoft.com/security/incident/sasser.asp

    --
    Parko.
    Still undergoing a temporary lapse of sanity using Windows XP.
    Registered Linux User #339345
    Defenestrate Windows!
     
    Parko, May 10, 2004
    #4
  5. Classic 42

    Rick Merrill Guest

    Re: Help please with .. firewall

    Avenger© wrote:

    > IMO, ZoneAlarm is a far better firewall than XP's, as the XP firewall
    > does not give any indication of which program/s are trying to access
    > the internet.


    What do you think of Sygate's "personal firewall" ? (I like it.)
     
    Rick Merrill, May 10, 2004
    #5
  6. Classic 42

    slumpy Guest

    ....and seconds before the explosion, Classic 42 emerged from the bunker
    carrying the last chicken tikka masala humanity would ever see, crying:

    > A semi-computer literate friend of mine is running Win XP Home,
    > without a firewall or anti-virus program. The PC is infected with the
    > Sasser Worm. He has asked me to help him remove the worm. I run Win
    > 98(2) and am not really conversant with Win XP Home.
    > I have downloaded and have on floppy the Symantec Sasser Fix, I also
    > have on CD the MS Security Patch MS04-011.MSPX. and Zone Alarm. I can
    > boot into safe mode.
    > I know how to disable system restore and how to enable XP firewall, I
    > know how to stop certain running processes, but do not know which
    > ones to leave. Is it better to leave XP firewall enabled or disable
    > it and install Zone Alarm? Step by step help would be very much
    > appreciated in my endeavours to help my friend.
    > Thanks in advance.
    > Classic 42.


    Tell your friend to get the **** offline if it's not going to run AV
    software.

    Irresponsible assholes.
    --
    slumpy
    no more
    no less
    just me
    (cheap at twice the price...)
     
    slumpy, May 10, 2004
    #6
  7. Classic 42

    °Mike° Guest

    The Sasser worm attempts to exploit the LSASS vulnerability
    discussed in Microsoft Security Bulletin MS04-011. To kill
    the worm before proceeding, boot into Safe Mode and
    start your registry editor:
    Start / Run / regedit

    Navigate to:
    HKEY_LOCAL_MACHINE
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Run

    In the right-hand pane, look for any entry/ies that include
    AVSERVE.EXE, AVSERVE2.EXE, SKYNETAVE.EXE .

    DELETE it/them.
    These are the files associated with the different variants:
    Variant A - avserve.exe
    Variant B - avserve2.exe
    Variant C - avserve2.exe
    Variant D - skynetave.exe

    You have now disabled the worm from running at startup, so
    boot into normal mode again, and turn off ALL system restores
    to purge your system of any remnants.

    Open Windows Explorer to the
    ..\Windows\
    or
    ..\WinNT\
    folder and DELETE *any* of the files named above.

    Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
    folder and find the reference to the above file/s (any reference
    will be similar to: <filename.exe>-<alphanumerics>.PF), for
    example, avserve.exe-0235D8H6.pf, and DELETE it/them.

    Update your virus scanner and run a FULL system scan.

    Now you can download and install the patch from Microsoft.
    Microsoft Security Bulletin MS04-011
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    What You Should Know About the Sasser Worm and It Variants
    http://www.microsoft.com/security/incident/sasser.asp

    Sasser A and Sasser B removal tool
    http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17

    Shorter link to above removal tool:
    http://makeashorterlink.com/?I14942538

    W32.Sasser.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

    W32.Sasser.B.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html

    W32.Sasser.C.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.c.worm.html

    W32.Sasser.D.Worm
    http://www.symantec.com/avcenter/venc/data/w32.sasser.d.html

    Some users have also stated that the Sasser worm removes the shutdown
    button from the Start menu. If you find this to be the case, start your
    registry editor:

    Start \ Run \ regedit

    Navigate to:

    HKEY_CURRENT_USER
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Policies
    +Explorer

    In the right-hand window, look for:
    "NoClose" with a value of 0x0000001 (1)

    If the entry exists, double-click on it, and change the
    value to 0 (zero).


    On Mon, 10 May 2004 09:46:20 +0000 (UTC), in
    <c7nj1c$mfm$>
    Classic 42 scrawled:

    >A semi-computer literate friend of mine is running Win XP Home, without a
    >firewall or anti-virus program. The PC is infected with the Sasser Worm. He
    >has asked me to help him remove the worm. I run Win 98(2) and am not really
    >conversant with Win XP Home.
    >I have downloaded and have on floppy the Symantec Sasser Fix, I also have on
    >CD the MS Security Patch MS04-011.MSPX. and Zone Alarm. I can boot into safe
    >mode.
    >I know how to disable system restore and how to enable XP firewall, I know
    >how to stop certain running processes, but do not know which ones to leave.
    >Is it better to leave XP firewall enabled or disable it and install Zone
    >Alarm? Step by step help would be very much appreciated in my endeavours to
    >help my friend.
    >Thanks in advance.
    >Classic 42.
    >
    >


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, May 10, 2004
    #7
  8. Classic 42

    Classic 42 Guest

    Thank you kindly Mike for your very detailed answer, but I am just not
    adventurous enough to do all you suggest. Is there not some easier way I can
    remove the worm?
    Thank you again for your reply.
    Classic
     
    Classic 42, May 10, 2004
    #8
  9. Classic 42

    °Mike° Guest

    Are you adventurous enough to open your registry
    editor, at all?


    On Mon, 10 May 2004 20:48:55 +0000 (UTC), in
    <c7oprl$mqv$>
    Classic 42 scrawled:

    >Thank you kindly Mike for your very detailed answer, but I am
    >just not adventurous enough to do all you suggest. Is there not
    >some easier way I can remove the worm?
    >Thank you again for your reply.
    >Classic
    >


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, May 10, 2004
    #9
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gareth not NLL or anybody else.

    Sasser worm

    Gareth not NLL or anybody else., May 1, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    546
    Gareth not NLL or anybody else.
    May 1, 2004
  2. Alasdair Baxter

    Sasser Worm.

    Alasdair Baxter, May 2, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    573
    Alasdair Baxter
    May 3, 2004
  3. Pistol Pete

    Worm/Sasser.C

    Pistol Pete, May 4, 2004, in forum: Computer Support
    Replies:
    12
    Views:
    958
    °Mike°
    May 4, 2004
  4. WCH

    Sasser worm? Can't even log on to W2k

    WCH, May 6, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    751
    Ron Martell
    May 7, 2004
  5. Brett Roberts

    Removal tool for Sasser.A & Sasser.B

    Brett Roberts, May 2, 2004, in forum: NZ Computing
    Replies:
    2
    Views:
    344
    MikeN
    May 14, 2004
Loading...

Share This Page