Hello Folks,

Regarding the Sassers worm, many of the machines on the college network were hit, and kept crashing/rebooting with the Error Msg along the lines of ... has exprienced errors with the xxx/lsass.exe service. Shutting down in .... . I used the patch provided by Microsoft, and the Sassers removal tool from Symantec. http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html.

Given an infected machine, I first install the patch, let the system reboot and then run the removal tool. It always comes up saying the sassers worm was not found on the system. Does the patch take care of even worm removal? If so, why would Symantec even put up a Removal tool? I'd like to know if anyone tried using the removal tool before installing the patch.. me's just curious. Thanx

_Scim_

Check to see if this file is on the computer:

%Windir%\avserve2.exe.

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

Cheers:

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=257348#post742008) by DjM
%Windir%\avserve2.exe.
The variant I've seen uses %windir%\skynetave.exe.

Check the following registrykey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

There will be a key there pointing to either avserve2 or skynetave. Remove them.
Reboot. After the reboot remove the file in %windir%. Your infection is now over.

Things with sasser have moved quick..

At this time the current version of the Symantec removal tool is v1.0.3 any thing before this is dog waste..

I wont repaeat waht has already been said.. other than. read the latest on Symantec's info page....

OK guys.. I said about these guys beating around the door.. I suspect when they find the door, it wont be a door knock like this.. there will be a package..... it could be.. Knock knock..package..find five doors..open package.. lights out..

cheers (I am cheery arent I)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=257348#post742240) by SirDice
The variant I've seen uses %windir%\skynetave.exe.

Check the following registrykey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

There will be a key there pointing to either avserve2 or skynetave. Remove them.
Reboot. After the reboot remove the file in %windir%. Your infection is now over.

Skynet , aren't those the clowns that wrote the Netsky family of viruses? Don't they have enough to do. :rolleyes:

Cheers:

/EDIT

This was posted on the SANS (http://isc.sans.org/) site this morning.

Sasser 'fix' hoax e-mail
This afternoon there is a hoax e-mail making the rounds purporting to be from an anti-virus vendor and claiming to have a clean up tool for Sasser attached. This is, in fact, a new NetSky variant. Anti-virus vendors will never send the tools as attachments in e-mail. Always check the vendor's web site for their latest clean up tools.

Are we having fun yet? :rolleyes:

Sasser 'fix' hoax e-mail

This HAS to be the ultimate in home delivery systems !!
Dial a Pizza eat your heart out. I have to admit to a smidge of a smile at the cheek of it though.

I'm not responsible :D

press f8 before xp startup, enter safe mode and run the cleaner tool.

Has anyone done housecall.trendmicro in safe mode w/ networking? Is that functionality available in safe mode?

Answering your question, the patch doesn't remove sasser, it just patched the vulnerability it exploits. So it is necessary to delete the virus using the removal tool.

To cancel the shutdown notice, click start-run-type cmd in the run box- at the black command prompt- type shutdown -a

That will allow you to work. I removed the worm with the symantec removal tool before the I installed the patch, because the network cutoff access to the boxes I fixed.

Everyone is talking bout 'specific' removal tools. This makes me a bit unsure of things.

A customer of mine was infected last night with the sasser worm. In the process lists, it showed up as avserve.exe, not avserve1 or 2. I instantly (on the infected box) ran norton AV, with full updates and it found the sasser worm. It could not disinfect it, so it quarantined it. After a couple of reboots, and a new scan, it found it again, so norton AV quarantined it again. After that i deleted the quarantined files (bla, how the **** do you spell quarantined :p ) and after more reboots and full system scans, the worm seems to be gone. Is that enough? Now the said box appears to be clean. I rescanned it this morning a few times, and it all shows ok. Or is the default latest Norton AV updates not enough?

Cheers.

Everyone is talking bout 'specific' removal tools. This makes me a bit unsure of things.

A customer of mine was infected last night with the sasser worm. In the process lists, it showed up as avserve.exe, not avserve1 or 2. I instantly (on the infected box) ran norton AV, with full updates and it found the sasser worm. It could not disinfect it, so it quarantined it. After a couple of reboots, and a new scan, it found it again, so norton AV quarantined it again. After that i deleted the quarantined files (bla, how the **** do you spell quarantined :p ) and after more reboots and full system scans, the worm seems to be gone. Is that enough? Now the said box appears to be clean. I rescanned it this morning a few times, and it all shows ok. Or is the default latest Norton AV updates not enough?

Cheers.

Did you patch the windows box or just the Antivirus ?

Did you patch the windows box or just the Antivirus ?

Just the AV, since the owner of the box does not want to update windows itself via patches.

Just the AV, since the owner of the box does not want to update windows itself via patches.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=257348#post742665) by instronics
Just the AV, since the owner of the box does not want to update windows itself via patches.
Now there's an accident waiting to happen :rolleyes:

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=257348#post742665) by instronics
Just the AV, since the owner of the box does not want to update windows itself via patches.
Now there's an accident waiting to happen :rolleyes:

From what he tells me, the reason is, he has alot of 'copied' software on that box, and installing M$ patches might lock up certain applications etc.... But back to my original question, does anyone know if symantec AV deals with sasser fully?

From what he tells me, the reason is, he has alot of 'copied' software on that box, and installing M$ patches might lock up certain applications etc.... But back to my original question, does anyone know if symantec AV deals with sasser fully?

I don't think any virusscanner will prevent LSASS from being exploited. It'll probably only prevent the dropping of the files (adserve etc.). So you would be protected from infection by known versions of sasser but if the hole isn't patched anything else could still abuse it.

I don't think any virusscanner will prevent LSASS from being exploited. It'll probably only prevent the dropping of the files (adserve etc.). So you would be protected from infection by known versions of sasser but if the hole isn't patched anything else could still abuse it.

Im gonna try to convince him to use the M$ patches... if not, the box (before i got my hands on it) had nothing on it that has todo with security. I installed adaware on it, and found over 400 nasty things crawling in it, and no firewall or nothing, not even an AV. Now i put adaware, symantec security suite, and spybot on it and after alot of scans and deleting and reboots, the system now looks clean. I also configured the firewall as best as i could. All scans now show a positive result. So far the sasser has not re-surfaced on that box. Hopefully it will be enough for the time being. The hard part is (as with most customers) to convince them to actually use the update buttons located on all these sweet tools to keep it all upto date.

Cheers for your help everyone :)

Im gonna try to convince him to use the M$ patches... if not, the box (before i got my hands on it) had nothing on it that has todo with security. I installed adaware on it, and found over 400 nasty things crawling in it, and no firewall or nothing, not even an AV. Now i put adaware, symantec security suite, and spybot on it and after alot of scans and deleting and reboots, the system now looks clean. I also configured the firewall as best as i could. All scans now show a positive result. So far the sasser has not re-surfaced on that box. Hopefully it will be enough for the time being. The hard part is (as with most customers) to convince them to actually use the update buttons located on all these sweet tools to keep it all upto date.

Cheers for your help everyone :)

Off topic. Couldn't find a thread to throw it into. Not worth starting a new thread. So since it is this virus, I'll put my FYI here. I live in the midwest. Last night after work my wife came home asking about this sasser virus. Apparently it has infected a grocery store here. The problem is the way their system is networked.

For example the control center is in another city. But it controls things like the store freezers, and inventory orders. This worm has infected their system so badly, they are currently unable to take food stamps, debit cards, credit cards, and checks. All of their ordering is done via handheld scanner. Which is wirelessly connected (fun to wardrive btw, not encrypted) to a machine upstairs that puts the whole order on for the store. They are starting to freezer failure. Theere is no manual control, it is all automated. Their payroll system, time clocks, and even the ATM's and Fidelity bank inside the store are unable to "business as usual".

All I can say is, somebody needs to rethink their plan. They are up shit creek, without a paddle, the boat has sprung a leak, and apparently they can't swim.


Just thought I'd share this tid-bit with you folks


Be safe and stay free

Off topic. Couldn't find a thread to throw it into. Not worth starting a new thread. So since it is this virus, I'll put my FYI here. I live in the midwest. Last night after work my wife came home asking about this sasser virus. Apparently it has infected a grocery store here. The problem is the way their system is networked.

For example the control center is in another city. But it controls things like the store freezers, and inventory orders. This worm has infected their system so badly, they are currently unable to take food stamps, debit cards, credit cards, and checks. All of their ordering is done via handheld scanner. Which is wirelessly connected (fun to wardrive btw, not encrypted) to a machine upstairs that puts the whole order on for the store. They are starting to freezer failure. Theere is no manual control, it is all automated. Their payroll system, time clocks, and even the ATM's and Fidelity bank inside the store are unable to "business as usual".

All I can say is, somebody needs to rethink their plan. They are up shit creek, without a paddle, the boat has sprung a leak, and apparently they can't swim.


Just thought I'd share this tid-bit with you folks


Be safe and stay free