W32.Sasser Worm

I went to work today from 8:00am to 4:00pm its typically slow on Sundays but it was slammed today call after call seems like every customer was getting infected with this nasty worm. Getting whats known as Log/nosurf (means you can connect but cant display webpages) hence the name log/nosurf. Also getting error messages like 'desktop over quota, RPC, NT AUTHORITY, systems counting down, rebooting, deleting applications etc...

So heres a short tutorial on how to detect it, un-install it, and remove it form your PC. Enjoy.


type: virus, worm
infection length 15,872 bytes
Systems affected - Windows 2000,XP, Windows Server 2003,
Systems not infected - Linux, MAC, Novell Netware, OS2, Unix

W32. Sasser worm is a worm that attempts to exploit ms04-11 vulnerability. It spreads by scanning randomly choosen IP address for vulnerable systems.

Attempts to connect to random generated IP addressess on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996.

The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554, and retrieve a copy of the worm. This copy will have a name consisiting of 4 or 5 digits followed by _up.exe (example 31337_up.exe)

How to remove it

1. Make sure you connect to the internet with some form of protection like enabling Internet Connection Firewall( ICF).

2. Press control + alt + delete to bring up Windows Task Manager.

3. Click process tab

4. Double click 'image name' to sort the processes.

5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe

If you find one , click it, and then click end process.

6.Exit the Task manager.

To download the tool instantly and completely remove this nasty worm can be found at http://vil.nai.com/vil/stinger or http://download.nai.com/products/mca...rt/stinger.exe

When done, reboot PC and make sure to visit http://v4.windowsupdate.microsoft.com/en/default.asp

for the latest updates, patches Hope this helps, Computernerd22