Worm/Sasser.C

Discussion in 'Computer Support' started by Pistol Pete, May 4, 2004.

  1. Pistol Pete

    Pistol Pete Guest

    Hello,

    Have already had and successfully removed Sasser.A, Sasser.B and Sasser.C.
    My virus definitions and firewall updates are bang up to date. However, I'm
    still noticing lsass.exe running in the task manager, and my anti-virus
    software turned off when I boot up the PC, so I know the bastard is still
    there - it's not really affecting system performance in the same way
    previous incarnations have.

    What can I do?

    Grant
     
    Pistol Pete, May 4, 2004
    #1
    1. Advertising

  2. Pistol Pete

    hushia Guest

    "Pistol Pete" <> wrote in message
    news:c77n8t$580$...
    > Hello,
    >
    > Have already had and successfully removed Sasser.A, Sasser.B and

    Sasser.C.
    > My virus definitions and firewall updates are bang up to date.

    However, I'm
    > still noticing lsass.exe running in the task manager, and my

    anti-virus
    > software turned off when I boot up the PC, so I know the bastard is

    still
    > there - it's not really affecting system performance in the same way
    > previous incarnations have.
    >
    > What can I do?
    >
    > Grant
    >


    Lsass.exe is also running in my task manager. I don't think this
    indicates the Sasser virus. Lsass.exe is a system process.
     
    hushia, May 4, 2004
    #2
    1. Advertising

  3. Pistol Pete

    Boomer Guest

    "Pistol Pete" <> did say:

    > Hello,
    >
    > Have already had and successfully removed Sasser.A, Sasser.B and
    > Sasser.C. My virus definitions and firewall updates are bang up to
    > date. However, I'm still noticing lsass.exe running in the task
    > manager, and my anti-virus software turned off when I boot up the
    > PC, so I know the bastard is still there - it's not really
    > affecting system performance in the same way previous incarnations
    > have.
    >
    > What can I do?
    >
    > Grant


    Via Google.
    http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/
     
    Boomer, May 4, 2004
    #3
  4. Boomer wrote:

    > "Pistol Pete" <> did say:
    >
    >
    >>Hello,
    >>
    >>Have already had and successfully removed Sasser.A, Sasser.B and
    >>Sasser.C. My virus definitions and firewall updates are bang up to
    >>date. However, I'm still noticing lsass.exe running in the task
    >>manager, and my anti-virus software turned off when I boot up the
    >>PC, so I know the bastard is still there - it's not really
    >>affecting system performance in the same way previous incarnations
    >>have.
    >>
    >>What can I do?
    >>
    >>Grant

    >
    >
    > Via Google.
    > http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/



    Yep, deleting that will surely make the OP's computer more
    secure :). Who needs users?
     
    =?UTF-8?B?UGFsaW5kcuKYu21l?=, May 4, 2004
    #4
  5. Pistol Pete

    Pistol Pete Guest

    I was slightly off, the Sasser virus exploits a security weakness in
    lsass.exe. But this is regardless because it is still switching off my
    Antivirus software - so it's still lurking somewhere! Argh!

    "hushia" <> wrote in message
    news:c77o7l$dei$...
    > "Pistol Pete" <> wrote in message
    > news:c77n8t$580$...
    > > Hello,
    > >
    > > Have already had and successfully removed Sasser.A, Sasser.B and

    > Sasser.C.
    > > My virus definitions and firewall updates are bang up to date.

    > However, I'm
    > > still noticing lsass.exe running in the task manager, and my

    > anti-virus
    > > software turned off when I boot up the PC, so I know the bastard is

    > still
    > > there - it's not really affecting system performance in the same way
    > > previous incarnations have.
    > >
    > > What can I do?
    > >
    > > Grant
    > >

    >
    > Lsass.exe is also running in my task manager. I don't think this
    > indicates the Sasser virus. Lsass.exe is a system process.
    >
    >
     
    Pistol Pete, May 4, 2004
    #5
  6. Pistol Pete

    Boomer Guest

    =?UTF-8?B?UGFsaW5kcuKYu21l?= <> did say:

    > Boomer wrote:
    >
    >> "Pistol Pete" <> did say:
    >>
    >>
    >>>Hello,
    >>>
    >>>Have already had and successfully removed Sasser.A, Sasser.B and
    >>>Sasser.C. My virus definitions and firewall updates are bang up
    >>>to date. However, I'm still noticing lsass.exe running in the
    >>>task manager, and my anti-virus software turned off when I boot
    >>>up the PC, so I know the bastard is still there - it's not really
    >>>affecting system performance in the same way previous
    >>>incarnations have.
    >>>
    >>>What can I do?
    >>>
    >>>Grant

    >>
    >>
    >> Via Google.
    >> http://www.liutilities.com/products/wintaskspro/processlibrary/lsa
    >> ss/

    >
    >
    > Yep, deleting that will surely make the OP's computer more
    > secure :). Who needs users?


    At last.. the easy way to make sure Windows is exempt from viruses.
    ;)
     
    Boomer, May 4, 2004
    #6
  7. Boomer wrote:

    > =?UTF-8?B?UGFsaW5kcuKYu21l?= <> did say:
    >
    >
    >>Boomer wrote:
    >>
    >>
    >>>"Pistol Pete" <> did say:
    >>>
    >>>
    >>>
    >>>>Hello,
    >>>>
    >>>>Have already had and successfully removed Sasser.A, Sasser.B and
    >>>>Sasser.C. My virus definitions and firewall updates are bang up
    >>>>to date. However, I'm still noticing lsass.exe running in the
    >>>>task manager, and my anti-virus software turned off when I boot
    >>>>up the PC, so I know the bastard is still there - it's not really
    >>>>affecting system performance in the same way previous
    >>>>incarnations have.
    >>>>
    >>>>What can I do?
    >>>>
    >>>>Grant
    >>>
    >>>
    >>>Via Google.
    >>>http://www.liutilities.com/products/wintaskspro/processlibrary/lsa
    >>>ss/

    >>
    >>
    >>Yep, deleting that will surely make the OP's computer more
    >>secure :). Who needs users?

    >
    >
    > At last.. the easy way to make sure Windows is exempt from viruses.
    > ;)


    I think at least one SciFi film has had a plot of the
    computer operating system identifying the users as a virus
    and trying to stop them replicating. Not that you need
    computers to do that when you have 3 kids under 4...
     
    =?UTF-8?B?UGFsaW5kcuKYu21l?=, May 4, 2004
    #7
  8. Pistol Pete

    Boomer Guest

    =?UTF-8?B?UGFsaW5kcuKYu21l?= <> did say:

    > Boomer wrote:
    >
    >> =?UTF-8?B?UGFsaW5kcuKYu21l?= <> did say:
    >>
    >>
    >>>Boomer wrote:
    >>>
    >>>
    >>>>"Pistol Pete" <> did say:
    >>>>
    >>>>
    >>>>
    >>>>>Hello,
    >>>>>
    >>>>>Have already had and successfully removed Sasser.A, Sasser.B and
    >>>>>Sasser.C. My virus definitions and firewall updates are bang up
    >>>>>to date. However, I'm still noticing lsass.exe running in the
    >>>>>task manager, and my anti-virus software turned off when I boot
    >>>>>up the PC, so I know the bastard is still there - it's not really
    >>>>>affecting system performance in the same way previous
    >>>>>incarnations have.
    >>>>>
    >>>>>What can I do?
    >>>>>
    >>>>>Grant
    >>>>
    >>>>
    >>>>Via Google.
    >>>>http://www.liutilities.com/products/wintaskspro/processlibrary/lsa
    >>>>ss/
    >>>
    >>>
    >>>Yep, deleting that will surely make the OP's computer more
    >>>secure :). Who needs users?

    >>
    >>
    >> At last.. the easy way to make sure Windows is exempt from viruses.
    >> ;)

    >
    > I think at least one SciFi film has had a plot of the
    > computer operating system identifying the users as a virus
    > and trying to stop them replicating.


    Seriously?

    > Not that you need
    > computers to do that when you have 3 kids under 4...


    There's other means for 'that' replication problem. ;o)
     
    Boomer, May 4, 2004
    #8
  9. Hi,

    With newer Sasser Worm varients appearing I also recommend you use a
    Trojan Scanning
    tool to make sure nothing elase has been placed on your PC.

    Why?

    The Sasser Worm did not have this as part of its code, HOWEVER the
    newer varients could
    be written to do more than the original worm!

    A FREE online Trojan scanner is here:

    http://www.trojanscan.com

    More on the Sasser worm at:

    http://www.sasser-worm.com

    Kind Regards

    Marc Liron
    Microsoft MVP
    http://www.updatexp.com
    ----------------------------
    Get Your FREE XP Newsletter!
    ----------------------------


    "Pistol Pete" <> wrote in message news:<c77r43$gp8$>...
    > I was slightly off, the Sasser virus exploits a security weakness in
    > lsass.exe. But this is regardless because it is still switching off my
    > Antivirus software - so it's still lurking somewhere! Argh!
    >
    > "hushia" <> wrote in message
    > news:c77o7l$dei$...
    > > "Pistol Pete" <> wrote in message
    > > news:c77n8t$580$...
    > > > Hello,
    > > >
    > > > Have already had and successfully removed Sasser.A, Sasser.B and

    > Sasser.C.
    > > > My virus definitions and firewall updates are bang up to date.

    > However, I'm
    > > > still noticing lsass.exe running in the task manager, and my

    > anti-virus
    > > > software turned off when I boot up the PC, so I know the bastard is

    > still
    > > > there - it's not really affecting system performance in the same way
    > > > previous incarnations have.
    > > >
    > > > What can I do?
    > > >
    > > > Grant
    > > >

    > >
    > > Lsass.exe is also running in my task manager. I don't think this
    > > indicates the Sasser virus. Lsass.exe is a system process.
    > >
    > >
     
    Marc Liron MVP, May 4, 2004
    #9
  10. Pistol Pete

    Pistol Pete Guest

    Thanks your webpage was helpful.

    Although my battle against Sasser seems far from over. Every single time i
    boot my PC my antivirus software is turned off - so I know Sasser a, b, c or
    d is in there somewhere. A recent scan found 6 examples of D.

    I find this puzzling. Even though I have a perfectly up-to-date firewall and
    anti-virus software, I'm still constantly infected and getting infected.

    The latest is Sasser.B re-infesting itself! How's that possible with
    up-to-date definitions! I even downloaded the Microsoft fix recommended on
    your web site but to no avail.



    "Marc Liron MVP" <> wrote in message
    news:...
    > Hi,
    >
    > With newer Sasser Worm varients appearing I also recommend you use a
    > Trojan Scanning
    > tool to make sure nothing elase has been placed on your PC.
    >
    > Why?
    >
    > The Sasser Worm did not have this as part of its code, HOWEVER the
    > newer varients could
    > be written to do more than the original worm!
    >
    > A FREE online Trojan scanner is here:
    >
    > http://www.trojanscan.com
    >
    > More on the Sasser worm at:
    >
    > http://www.sasser-worm.com
    >
    > Kind Regards
    >
    > Marc Liron
    > Microsoft MVP
    > http://www.updatexp.com
    > ----------------------------
    > Get Your FREE XP Newsletter!
    > ----------------------------
    >
    >
    > "Pistol Pete" <> wrote in message

    news:<c77r43$gp8$>...
    > > I was slightly off, the Sasser virus exploits a security weakness in
    > > lsass.exe. But this is regardless because it is still switching off my
    > > Antivirus software - so it's still lurking somewhere! Argh!
    > >
    > > "hushia" <> wrote in message
    > > news:c77o7l$dei$...
    > > > "Pistol Pete" <> wrote in message
    > > > news:c77n8t$580$...
    > > > > Hello,
    > > > >
    > > > > Have already had and successfully removed Sasser.A, Sasser.B and

    > > Sasser.C.
    > > > > My virus definitions and firewall updates are bang up to date.

    > > However, I'm
    > > > > still noticing lsass.exe running in the task manager, and my

    > > anti-virus
    > > > > software turned off when I boot up the PC, so I know the bastard is

    > > still
    > > > > there - it's not really affecting system performance in the same way
    > > > > previous incarnations have.
    > > > >
    > > > > What can I do?
    > > > >
    > > > > Grant
    > > > >
    > > >
    > > > Lsass.exe is also running in my task manager. I don't think this
    > > > indicates the Sasser virus. Lsass.exe is a system process.
    > > >
    > > >
     
    Pistol Pete, May 4, 2004
    #10
  11. Pistol Pete

    Greg Guest

    LASS.EXE is a normal windows process. The Local Secutiy Authority Service
    runs all your athentication (the NT security subsystem)this is not only for
    kereberos but NTLM domain authentication, netlogon, SSL, local sam
    authetication,etc. Without that service I dont believe your machine will be
    operable. There is, however, a virus that attempts to disguise itself as the
    normal windows LASS.EXE. I believe the virus is win32/lovegate.


    "Pistol Pete" <> wrote in message
    news:c77n8t$580$...
    > Hello,
    >
    > Have already had and successfully removed Sasser.A, Sasser.B and Sasser.C.
    > My virus definitions and firewall updates are bang up to date. However,

    I'm
    > still noticing lsass.exe running in the task manager, and my anti-virus
    > software turned off when I boot up the PC, so I know the bastard is still
    > there - it's not really affecting system performance in the same way
    > previous incarnations have.
    >
    > What can I do?
    >
    > Grant
    >
    >
     
    Greg, May 4, 2004
    #11
  12. On 4 May 2004 06:55:51 -0700, (Marc Liron MVP)
    wrote:

    >Hi,
    >
    >With newer Sasser Worm varients appearing I also recommend you use a
    >Trojan Scanning
    >tool to make sure nothing elase has been placed on your PC.
    >
    >Why?
    >
    >The Sasser Worm did not have this as part of its code, HOWEVER the
    >newer varients could
    >be written to do more than the original worm!
    >
    >A FREE online Trojan scanner is here:
    >
    >http://www.trojanscan.com
    >

    "Trojan database last update: 12/10/03" doesn't exactly fill me with
    confidence.
     
    The Great Cornholio, May 4, 2004
    #12
  13. Pistol Pete

    °Mike° Guest

    The Sasser worm attempts to exploit the LSASS vulnerability
    discussed in Microsoft Security Bulletin MS04-011. To kill
    the worm before proceeding, boot into Safe Mode and
    start your registry editor:
    Start / Run / regedit

    Navigate to:
    HKEY_LOCAL_MACHINE
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Run

    In the right-hand pane, look for any entry/ies that include
    AVSERVE.EXE, AVSERVE2.EXE, SKYNETAVE.EXE .

    DELETE it/them.
    These are the files associated with the different variants:
    Variant A - avserve.exe
    Variant B - avserve2.exe
    Variant C - avserve2.exe
    Variant D - skynetave.exe

    You have now disabled the worm from running at startup, so
    boot into normal mode again, and turn off ALL system restores
    to purge your system of any remnants.

    Open Windows Explorer to the
    ..\Windows\
    or
    ..\WinNT\
    folder and DELETE *any* of the files named above.

    Next, go to the ..\Windows\Prefetch\ or ..\WinNT\Prefetch\
    folder and find the reference to the above file/s (any reference
    will be similar to: <filename.exe>-<alphanumerics>.PF), for
    example, avserve.exe-0235D8H6.pf, and DELETE it/them.

    Update your virus scanner and run a FULL system scan.

    Now you can download and install the patch from Microsoft.
    Microsoft Security Bulletin MS04-011
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    What You Should Know About the Sasser Worm and It Variants
    http://www.microsoft.com/security/incident/sasser.asp

    Sasser A and Sasser B removal tool
    http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4fc3-90d4-9fa42d14cc17

    Shorter link to above removal tool:
    http://makeashorterlink.com/?I14942538

    W32.Sasser.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html

    W32.Sasser.B.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html

    W32.Sasser.C.Worm
    http://www.sarc.com/avcenter/venc/data/w32.sasser.c.worm.html

    W32.Sasser.D.Worm
    http://www.symantec.com/avcenter/venc/data/w32.sasser.d.html

    Some users have also stated that the Sasser worm removes the shutdown
    button from the Start menu. If you find this to be the case, start your
    registry editor:

    Start \ Run \ regedit

    Navigate to:

    HKEY_CURRENT_USER
    +Software
    +Microsoft
    +Windows
    +CurrentVersion
    +Policies
    +Explorer

    In the right-hand window, look for:
    "NoClose" with a value of 0x0000001 (1)

    If the entry exists, double-click on it, and change the
    value to 0 (zero).


    On Tue, 4 May 2004 09:20:29 +0000 (UTC), in
    <c77n8t$580$>
    Pistol Pete scrawled:

    >Hello,
    >
    >Have already had and successfully removed Sasser.A, Sasser.B and Sasser.C.
    >My virus definitions and firewall updates are bang up to date. However, I'm
    >still noticing lsass.exe running in the task manager, and my anti-virus
    >software turned off when I boot up the PC, so I know the bastard is still
    >there - it's not really affecting system performance in the same way
    >previous incarnations have.
    >
    >What can I do?
    >
    >Grant
    >


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, May 4, 2004
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Gareth not NLL or anybody else.

    Sasser worm

    Gareth not NLL or anybody else., May 1, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    540
    Gareth not NLL or anybody else.
    May 1, 2004
  2. Alasdair Baxter

    Sasser Worm.

    Alasdair Baxter, May 2, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    566
    Alasdair Baxter
    May 3, 2004
  3. WCH

    Sasser worm? Can't even log on to W2k

    WCH, May 6, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    742
    Ron Martell
    May 7, 2004
  4. Classic 42

    Help please with Sasser Worm

    Classic 42, May 10, 2004, in forum: Computer Support
    Replies:
    8
    Views:
    567
    °Mike°
    May 10, 2004
  5. Brett Roberts

    Removal tool for Sasser.A & Sasser.B

    Brett Roberts, May 2, 2004, in forum: NZ Computing
    Replies:
    2
    Views:
    336
    MikeN
    May 14, 2004
Loading...

Share This Page