Quick Sasser virus test?

Discussion in 'Computer Support' started by Ionizer, May 4, 2004.

  1. Ionizer

    Ionizer Guest

    Ionizer, May 4, 2004
    #1
    1. Advertising

  2. Ionizer

    Murgi Guest

    Is there a URL were I can quickly check whether one of my computers is
    afflicted with the Sasser worm? 2 of my machines have become slow...
    I use anti virus software and a firewall, however.


    Murgi
    Murgi, May 4, 2004
    #2
    1. Advertising

  3. Murgi wrote:

    > Is there a URL were I can quickly check whether one of my computers is
    > afflicted with the Sasser worm? 2 of my machines have become slow...
    > I use anti virus software and a firewall, however.
    >
    >
    > Murgi
    >
    >

    http://www.microsoft.com/security/incident/sasser.asp
    Hope it doesn't help - if you know what I mean :)
    =?UTF-8?B?UGFsaW5kcuKYu21l?=, May 4, 2004
    #3
  4. Ionizer

    °Mike° Guest

    The Sasser worm attempts to exploit the LSASS vulnerability
    discussed in Microsoft Security Bulletin MS04-011. To kill
    the worm before proceeding, boot into Safe Mode and
    start your registry editor:
    Start / Run / regedit

    Navigate to:
    HKEY_LOCAL_MACHINE
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Run

    In the right-hand pane, look for any entry/ies that include
    AVSERVE.EXE, AVSERVE2.EXE, SKYNETAVE.EXE .

    DELETE it/them.
    These are the files associated with the different variants:
    Variant A - avserve.exe
    Variant B - avserve2.exe
    Variant C - avserve2.exe
    Variant D - skynetave.exe

    You have now disabled the worm from running at startup, so
    boot into normal mode again, and turn off ALL system restores
    to purge your system of any remnants.

    Open Windows Explorer to the
    ..\Windows\
    or
    ..\WinNT\
    folder and DELETE *any* of the files named above.

    Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
    folder and find the reference to the above file/s (any reference
    will be similar to: <filename.exe>-<alphanumerics>.PF), for
    example, avserve.exe-0235D8H6.pf, and DELETE it/them.

    Update your virus scanner and run a FULL system scan.

    Now you can download and install the patch from Microsoft.
    Microsoft Security Bulletin MS04-011
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    What You Should Know About the Sasser Worm and It Variants
    http://www.microsoft.com/security/incident/sasser.asp

    Sasser A and Sasser B removal tool
    http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17

    Shorter link to above removal tool:
    http://makeashorterlink.com/?I14942538

    W32.Sasser.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

    W32.Sasser.B.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html

    W32.Sasser.C.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.c.worm.html

    W32.Sasser.D.Worm
    http://www.symantec.com/avcenter/venc/data/w32.sasser.d.html

    Some users have also stated that the Sasser worm removes the shutdown
    button from the Start menu. If you find this to be the case, start your
    registry editor:

    Start \ Run \ regedit

    Navigate to:

    HKEY_CURRENT_USER
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Policies
    +Explorer

    In the right-hand window, look for:
    "NoClose" with a value of 0x0000001 (1)

    If the entry exists, double-click on it, and change the
    value to 0 (zero).


    On Tue, 04 May 2004 22:48:32 GMT, in
    <>
    Murgi scrawled:

    >Is there a URL were I can quickly check whether one of my computers is
    >afflicted with the Sasser worm? 2 of my machines have become slow...
    >I use anti virus software and a firewall, however.
    >
    >
    >Murgi
    >


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, May 4, 2004
    #4
  5. Ionizer

    Stickems Guest

    Surely a restore would remove this worm?

    "°Mike°" <> wrote in message
    news:...
    > The Sasser worm attempts to exploit the LSASS vulnerability
    > discussed in Microsoft Security Bulletin MS04-011. To kill
    > the worm before proceeding, boot into Safe Mode and
    > start your registry editor:
    > Start / Run / regedit
    >
    > Navigate to:
    > HKEY_LOCAL_MACHINE
    > +Software
    > +Microsoft
    > +Windows
    > +CurrentVersion
    > +Run
    >
    > In the right-hand pane, look for any entry/ies that include
    > AVSERVE.EXE, AVSERVE2.EXE, SKYNETAVE.EXE .
    >
    > DELETE it/them.
    > These are the files associated with the different variants:
    > Variant A - avserve.exe
    > Variant B - avserve2.exe
    > Variant C - avserve2.exe
    > Variant D - skynetave.exe
    >
    > You have now disabled the worm from running at startup, so
    > boot into normal mode again, and turn off ALL system restores
    > to purge your system of any remnants.
    >
    > Open Windows Explorer to the
    > ..\Windows\
    > or
    > ..\WinNT\
    > folder and DELETE *any* of the files named above.
    >
    > Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
    > folder and find the reference to the above file/s (any reference
    > will be similar to: <filename.exe>-<alphanumerics>.PF), for
    > example, avserve.exe-0235D8H6.pf, and DELETE it/them.
    >
    > Update your virus scanner and run a FULL system scan.
    >
    > Now you can download and install the patch from Microsoft.
    > Microsoft Security Bulletin MS04-011
    > http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
    >
    > What You Should Know About the Sasser Worm and It Variants
    > http://www.microsoft.com/security/incident/sasser.asp
    >
    > Sasser A and Sasser B removal tool
    >

    http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17
    >
    > Shorter link to above removal tool:
    > http://makeashorterlink.com/?I14942538
    >
    > W32.Sasser.Worm
    > http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html
    >
    > W32.Sasser.B.Worm
    > http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html
    >
    > W32.Sasser.C.Worm
    > http://www.sarc.com/avcenter/venc/data/w32.sasser.c.worm.html
    >
    > W32.Sasser.D.Worm
    > http://www.symantec.com/avcenter/venc/data/w32.sasser.d.html
    >
    > Some users have also stated that the Sasser worm removes the shutdown
    > button from the Start menu. If you find this to be the case, start your
    > registry editor:
    >
    > Start \ Run \ regedit
    >
    > Navigate to:
    >
    > HKEY_CURRENT_USER
    > +Software
    > +Microsoft
    > +Windows
    > +CurrentVersion
    > +Policies
    > +Explorer
    >
    > In the right-hand window, look for:
    > "NoClose" with a value of 0x0000001 (1)
    >
    > If the entry exists, double-click on it, and change the
    > value to 0 (zero).
    >
    >
    > On Tue, 04 May 2004 22:48:32 GMT, in
    > <>
    > Murgi scrawled:
    >
    > >Is there a URL were I can quickly check whether one of my computers is
    > >afflicted with the Sasser worm? 2 of my machines have become slow...
    > >I use anti virus software and a firewall, however.
    > >
    > >
    > >Murgi
    > >

    >
    > --
    > Basic computer maintenance
    > http://uk.geocities.com/personel44/maintenance.html
    Stickems, May 5, 2004
    #5
  6. Ionizer

    dark elf Guest

    "Stickems" <> wrote in message
    news:cL3mc.22$...
    > Surely a restore would remove this worm?
    >
    > Yeah, but the only way to actually prevent it from infecting your system

    again is to download the security patch provided through Microsoft. The
    only people that are getting hit with this are people who don't load their
    critical updates for Windows. Microsoft had the patch on their website long
    before the virus actually hit the 'net.
    dark elf, May 5, 2004
    #6
  7. Ionizer

    °Mike° Guest

    Not necessarily. A restore only replaces system
    files, and a restore, in itself, may be infected.
    That is NOT the way to go.


    On Wed, 5 May 2004 11:56:14 +0100, in
    <cL3mc.22$>
    Stickems scrawled:

    >Surely a restore would remove this worm?
    >
    >"°Mike°" <> wrote in message
    >news:...
    >> The Sasser worm attempts to exploit the LSASS vulnerability


    <snip>

    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
    °Mike°, May 5, 2004
    #7
  8. Ionizer

    Brad Guest

    "dark elf" <evil.hades(BLAH)@charter.net> wrote in message news:<>...
    > "Stickems" <> wrote in message
    > news:cL3mc.22$...
    > > Surely a restore would remove this worm?
    > >
    > > Yeah, but the only way to actually prevent it from infecting your system

    > again is to download the security patch provided through Microsoft. The
    > only people that are getting hit with this are people who don't load their
    > critical updates for Windows. Microsoft had the patch on their website long
    > before the virus actually hit the 'net.


    Great idea but one problem. Of the 300 HP laptops we have in the field
    200 are a particular model. When the security patch KB835732 is
    applied that system 'hangs' when it is rebooted. We have acquired and
    applied hot fix KB841382 it also causes those models to hang on
    reboot. So we either have a system that won't reboot, or a system that
    reboots after being connected to the Internet for between 5 minutes
    and 3+ hours. HP says it is a Microsoft issue and Microsoft has
    suggested that we block port 445. Anyone know how to do this on a
    dial-up?
    Back to the original subject, in order to test whatever suggestion
    that MS or HP come up with it would help a lot to have a way to test
    it immediately instead of waiting for 3 hours and guessing that it
    must be fixed.
    Thanks!
    Brad, May 10, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Guest

    test test test test test test test

    Guest, Jul 2, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    891
    halfalifer
    Jul 2, 2003
  2. Mary

    Sasser-quick question

    Mary, May 6, 2004, in forum: Computer Support
    Replies:
    12
    Views:
    569
  3. billybronco
    Replies:
    4
    Views:
    474
  4. Justin

    sasser worm virus problem on a friend's PC

    Justin, Oct 13, 2004, in forum: Computer Information
    Replies:
    8
    Views:
    507
    Trent©
    Oct 15, 2004
  5. Brett Roberts

    Removal tool for Sasser.A & Sasser.B

    Brett Roberts, May 2, 2004, in forum: NZ Computing
    Replies:
    2
    Views:
    317
    MikeN
    May 14, 2004
Loading...

Share This Page