Sasser scanner/removal tool

Discussion in 'NZ Computing' started by Brett Roberts, May 3, 2004.

  1. Brett Roberts, May 3, 2004
    #1
    1. Advertising

  2. T.N.O. - Dave.net.nz, May 3, 2004
    #2
    1. Advertising

  3. Brett Roberts

    Ray Greene Guest

    On Tue, 4 May 2004 08:59:05 +1200, "Brett Roberts"
    <> wrote:

    >http://www.microsoft.com/security/incident/sasser.asp


    People should be aware that there is a serious bug with this patch. It can
    cause a PC to be unable to load a driver on startup and to freeze while
    trying to do so, by using all the CPU time. Some info is at
    http://support.microsoft.com/default.aspx?scid=kb;EN-US;841382

    It can happen with any driver apparently. It affected our file server and
    locked it up while trying to load the driver for the RAID card. This was
    early morning just before everyone turned up for work. Fortunately our
    backups are on removable hard drives and not tapes, so the backup machine
    became a file server for the day.

    The patch can be uninstalled through Add/Remove Programs (Windows Hotfix
    KB835732) but even in safe mode our machine was running so slowly it took
    some hours to complete the uninstall.

    There are no warnings about this on Microsoft Security Bulletin MS04-011.

    We will being installing a Linux file server in the next week or so. We can
    cope with viruses and vulnerabilities etc but having to rely on MS-supplied
    "fixes" which can kill critical machines without warning is simply too
    dangerous.

    Ray Greene.
     
    Ray Greene, May 4, 2004
    #3
  4. Ray Greene wrote:
    > We will being installing a Linux file server in the next week or so. We can
    > cope with viruses and vulnerabilities etc but having to rely on MS-supplied
    > "fixes" which can kill critical machines without warning is simply too
    > dangerous.


    Any patches from anywhere can kill critical machines without warning...

    if the machine is critical, why does it have access to the net?


    --
    Dave Hall
    http://Dave.net.nz
    We have Hangman, Pacman, and Space Invaders
     
    T.N.O. - Dave.net.nz, May 4, 2004
    #4
  5. Brett Roberts

    Enkidu Guest

    On Tue, 4 May 2004 08:59:05 +1200, "Brett Roberts"
    <> wrote:
    >
    >http://www.microsoft.com/security/incident/sasser.asp
    >

    Hi Brett,

    Thanks for that. Just a bit of feedback - I ran the thing and it ended
    silently - that is, it didn't say "not found" or "virus found". Now I
    only ran it experimentally since I don't have the virus, but it would
    have been nice if it had told me so!

    Cheers,

    Cliff
     
    Enkidu, May 4, 2004
    #5
  6. "Enkidu" <> wrote in message
    news:...
    > On Tue, 4 May 2004 08:59:05 +1200, "Brett Roberts"
    > <> wrote:
    >>
    >>http://www.microsoft.com/security/incident/sasser.asp
    >>

    > Hi Brett,
    >
    > Thanks for that. Just a bit of feedback - I ran the thing and it ended
    > silently - that is, it didn't say "not found" or "virus found". Now I
    > only ran it experimentally since I don't have the virus, but it would
    > have been nice if it had told me so!
    >
    > Cheers,
    >
    > Cliff


    Thanks Cliff, this is good feedback. I will forward to the people who built
    the scanner tool
     
    Brett Roberts, May 4, 2004
    #6
  7. "Ray Greene" <> wrote in message
    news:IZClc.89$...
    > On Tue, 4 May 2004 08:59:05 +1200, "Brett Roberts"
    > <> wrote:
    >
    >>http://www.microsoft.com/security/incident/sasser.asp

    >
    > People should be aware that there is a serious bug with this patch. It can
    > cause a PC to be unable to load a driver on startup and to freeze while
    > trying to do so, by using all the CPU time. Some info is at
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;841382
    >
    > It can happen with any driver apparently. It affected our file server and
    > locked it up while trying to load the driver for the RAID card. This was
    > early morning just before everyone turned up for work. Fortunately our
    > backups are on removable hard drives and not tapes, so the backup machine
    > became a file server for the day.
    >
    > The patch can be uninstalled through Add/Remove Programs (Windows Hotfix
    > KB835732) but even in safe mode our machine was running so slowly it took
    > some hours to complete the uninstall.
    >
    > There are no warnings about this on Microsoft Security Bulletin MS04-011.
    >
    > We will being installing a Linux file server in the next week or so. We
    > can
    > cope with viruses and vulnerabilities etc but having to rely on
    > MS-supplied
    > "fixes" which can kill critical machines without warning is simply too
    > dangerous.
    >
    > Ray Greene.


    Hi Ray, I'm sorry to hear about the hassles you ran into applying MS04-011.
    Please let me know via nz.comp or by calling me on (09) 3575800 if you need
    any technical support in remedying the problems.
     
    Brett Roberts, May 4, 2004
    #7
  8. Ray Greene
    > On Tue, 4 May 2004 08:59:05 +1200, "Brett Roberts"
    > <> wrote:
    >
    > >http://www.microsoft.com/security/incident/sasser.asp

    >
    > People should be aware that there is a serious bug with this patch. It can
    > cause a PC to be unable to load a driver on startup and to freeze while
    > trying to do so, by using all the CPU time. Some info is at
    > http://support.microsoft.com/default.aspx?scid=kb;EN-US;841382
    >
    > It can happen with any driver apparently. It affected our file server and
    > locked it up while trying to load the driver for the RAID card. This was
    > early morning just before everyone turned up for work. Fortunately our
    > backups are on removable hard drives and not tapes, so the backup machine
    > became a file server for the day.
    >
    > The patch can be uninstalled through Add/Remove Programs (Windows Hotfix
    > KB835732) but even in safe mode our machine was running so slowly it took
    > some hours to complete the uninstall.
    >
    > There are no warnings about this on Microsoft Security Bulletin MS04-011.


    I did read some warnings about these patches on the MS site so the info
    is there, I understand Windows 2000 has had some problems with it
     
    Patrick Dunford, May 4, 2004
    #8
  9. T.N.O. - Dave.net.nz
    > Ray Greene wrote:
    > > We will being installing a Linux file server in the next week or so. We can
    > > cope with viruses and vulnerabilities etc but having to rely on MS-supplied
    > > "fixes" which can kill critical machines without warning is simply too
    > > dangerous.

    >
    > Any patches from anywhere can kill critical machines without warning...
    >
    > if the machine is critical, why does it have access to the net?


    it's a file server, it has access to their internal network, and anything
    that is on a network is potentially vulnerable to any of these things
     
    Patrick Dunford, May 4, 2004
    #9
  10. Enkidu
    > On Tue, 4 May 2004 08:59:05 +1200, "Brett Roberts"
    > <> wrote:
    > >
    > >http://www.microsoft.com/security/incident/sasser.asp
    > >

    > Hi Brett,
    >
    > Thanks for that. Just a bit of feedback - I ran the thing and it ended
    > silently - that is, it didn't say "not found" or "virus found". Now I
    > only ran it experimentally since I don't have the virus, but it would
    > have been nice if it had told me so!


    There are also scanners available from the antivirus companies and
    probably one for your favourite AV package.
     
    Patrick Dunford, May 4, 2004
    #10
  11. Brett Roberts

    ~misfit~ Guest

    ~misfit~, May 4, 2004
    #11
  12. "~misfit~" <> wrote in message
    news:L3Flc.151$...
    > Brett Roberts wrote:
    >> http://www.microsoft.com/security/incident/sasser.asp

    >
    > Hi Brett,
    >
    > I'm using XP's firewall. Will that stop Sasser?
    >
    > Cheers,
    > --
    > ~misfit~
    >
    >


    from http://www.microsoft.com/security/incident/sasser.asp

    Before you take other steps, make sure you have a firewall activated to help
    protect your computer against infection. If you have a hardware firewall in
    place for your home or workplace connection, or if you use the firewall
    included with Microsoft® Windows® XP, the Sasser worm is most likely
    blocked. If your computer has been infected, activating firewall software
    will help limit the effects of the worm on your computer.
     
    Brett Roberts, May 4, 2004
    #12
  13. Brett Roberts

    Enkidu Guest

    On Tue, 4 May 2004 15:57:46 +1200, Patrick Dunford
    <> wrote:

    >Enkidu
    >> On Tue, 4 May 2004 08:59:05 +1200, "Brett Roberts"
    >> <> wrote:
    >> >
    >> >http://www.microsoft.com/security/incident/sasser.asp
    >> >

    >> Hi Brett,
    >>
    >> Thanks for that. Just a bit of feedback - I ran the thing and it ended
    >> silently - that is, it didn't say "not found" or "virus found". Now I
    >> only ran it experimentally since I don't have the virus, but it would
    >> have been nice if it had told me so!

    >
    >There are also scanners available from the antivirus companies and
    >probably one for your favourite AV package.
    >

    Your point is? I'd use them all, if I thought I'd got the virus. I was
    just giving it a trial run.

    Cheers,

    Cliff
     
    Enkidu, May 4, 2004
    #13
  14. Brett Roberts

    Ray Greene Guest

    On Tue, 04 May 2004 14:21:38 +1200, "T.N.O. - Dave.net.nz" <>
    wrote:

    >Ray Greene wrote:
    >> We will being installing a Linux file server in the next week or so. We can
    >> cope with viruses and vulnerabilities etc but having to rely on MS-supplied
    >> "fixes" which can kill critical machines without warning is simply too
    >> dangerous.

    >
    >Any patches from anywhere can kill critical machines without warning...


    But why was there no warning? Microsoft knew about the problem and had a
    webpage about it. Why not just put a link to it on the security bulletin?

    >if the machine is critical, why does it have access to the net?


    It doesn't, but obviously it's on a network, and we have users with laptops
    and occasionally clients machines on the network.

    Ray Greene.
     
    Ray Greene, May 4, 2004
    #14
  15. Brett Roberts

    Ray Greene Guest

    On Tue, 4 May 2004 15:09:23 +1200, "Brett Roberts"
    <> wrote:

    >Hi Ray, I'm sorry to hear about the hassles you ran into applying MS04-011.
    >Please let me know via nz.comp or by calling me on (09) 3575800 if you need
    >any technical support in remedying the problems.


    Thanks Brett. I removed the patch but I would like to know if there is a way
    to protect the machine without risking another lockup.

    We may as well discuss it here for the benefit of others who may be
    interested.

    Ray Greene.
     
    Ray Greene, May 4, 2004
    #15
  16. Enkidu
    > On Tue, 4 May 2004 15:57:46 +1200, Patrick Dunford
    > <> wrote:
    >
    > >Enkidu
    > >> On Tue, 4 May 2004 08:59:05 +1200, "Brett Roberts"
    > >> <> wrote:
    > >> >
    > >> >http://www.microsoft.com/security/incident/sasser.asp
    > >> >
    > >> Hi Brett,
    > >>
    > >> Thanks for that. Just a bit of feedback - I ran the thing and it ended
    > >> silently - that is, it didn't say "not found" or "virus found". Now I
    > >> only ran it experimentally since I don't have the virus, but it would
    > >> have been nice if it had told me so!

    > >
    > >There are also scanners available from the antivirus companies and
    > >probably one for your favourite AV package.
    > >

    > Your point is? I'd use them all, if I thought I'd got the virus. I was
    > just giving it a trial run.


    They might be better.
     
    Patrick Dunford, May 4, 2004
    #16
  17. Ray Greene
    > On Tue, 04 May 2004 14:21:38 +1200, "T.N.O. - Dave.net.nz" <>
    > wrote:
    >
    > >Ray Greene wrote:
    > >> We will being installing a Linux file server in the next week or so. We can
    > >> cope with viruses and vulnerabilities etc but having to rely on MS-supplied
    > >> "fixes" which can kill critical machines without warning is simply too
    > >> dangerous.

    > >
    > >Any patches from anywhere can kill critical machines without warning...

    >
    > But why was there no warning? Microsoft knew about the problem and had a
    > webpage about it. Why not just put a link to it on the security bulletin?


    What?

    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    "Microsoft Knowledge Base Article 835732 documents the currently
    known issues that customers may experience when they install this
    security update. The article also documents recommended solutions for
    these issues. For more information, see Microsoft Knowledge Base Article
    835732"
     
    Patrick Dunford, May 4, 2004
    #17
  18. Ray Greene
    > On Tue, 4 May 2004 15:09:23 +1200, "Brett Roberts"
    > <> wrote:
    >
    > >Hi Ray, I'm sorry to hear about the hassles you ran into applying MS04-011.
    > >Please let me know via nz.comp or by calling me on (09) 3575800 if you need
    > >any technical support in remedying the problems.

    >
    > Thanks Brett. I removed the patch but I would like to know if there is a way
    > to protect the machine without risking another lockup.
    >
    > We may as well discuss it here for the benefit of others who may be
    > interested.


    An incompatibility with another manufacturer's products was found.

    It is impossible to test for all possible causes.

    If your machine sits behind a firewall, set the firewall to block
    unsolicited inbound traffic.
     
    Patrick Dunford, May 4, 2004
    #18
  19. Brett Roberts

    Gurble Guest

    On Tue, 4 May 2004 16:39:34 +1200, "Brett Roberts"
    <> wrote:

    > If your computer has been infected, activating firewall software
    >will help limit the effects of the worm on your computer.
    >

    Except, of course, the Windows XP firewall, which just blocks inbound
    traffic...

    (ie. any "limiting effect" is in the reduction of spreading, which the
    XP firewall does not prevent at the source)
     
    Gurble, May 4, 2004
    #19
  20. The GHOST of WOGER., May 4, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Keyboard Cowboy

    OT: Spyware Removal Tool recommendations

    Keyboard Cowboy, Oct 26, 2004, in forum: MCSE
    Replies:
    48
    Views:
    1,394
    LnkWizard
    Oct 27, 2004
  2. Look in my eyes and you'll find me

    Free Spam Removal Tool

    Look in my eyes and you'll find me, Aug 29, 2003, in forum: Computer Support
    Replies:
    11
    Views:
    5,610
  3. why?

    swen removal tool

    why?, Sep 21, 2003, in forum: Computer Support
    Replies:
    30
    Views:
    1,894
    Twixer
    Sep 22, 2003
  4. geopelia

    W32.Swen.A@mm Removal Tool

    geopelia, Sep 23, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    530
    °Mike°
    Sep 23, 2003
  5. Brett Roberts

    Removal tool for Sasser.A & Sasser.B

    Brett Roberts, May 2, 2004, in forum: NZ Computing
    Replies:
    2
    Views:
    342
    MikeN
    May 14, 2004
Loading...

Share This Page