May 2nd, 2004, 06:49 PM
How to remove W32.Sasser Worm
I went to work today from 8:00am to 4:00pm its typically slow on Sundays but it was slammed today call after call seems like every customer was getting infected with this nasty worm. Getting whats known as Log/nosurf (means you can connect but cant display webpages) hence the name log/nosurf. Also getting error messages like 'desktop over quota, RPC, NT AUTHORITY, systems counting down, rebooting, deleting applications etc...
So heres a short tutorial on how to detect it, un-install it, and remove it form your PC. Enjoy.
type: virus, worm
infection length 15,872 bytes
Systems affected - Windows 2000,XP, Windows Server 2003,
Systems not infected - Linux, MAC, Novell Netware, OS2, Unix
W32. Sasser worm is a worm that attempts to exploit ms04-11 vulnerability. It spreads by scanning randomly choosen IP address for vulnerable systems.
Attempts to connect to random generated IP addressess on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996.
The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554, and retrieve a copy of the worm. This copy will have a name consisiting of 4 or 5 digits followed by _up.exe (example 31337_up.exe)
How to remove it
1. Make sure you connect to the internet with some form of protection like enabling Internet Connection Firewall( ICF).
2. Press control + alt + delete to bring up Windows Task Manager.
3. Click process tab
4. Double click 'image name' to sort the processes.
5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe
If you find one , click it, and then click end process.
6.Exit the Task manager.
To download the tool instantly and completely remove this nasty worm can be found at http://vil.nai.com/vil/stinger or http://download.nai.com/products/mca...rt/stinger.exe
When done, reboot PC and make sure to visit http://v4.windowsupdate.microsoft.com/en/default.asp
for the latest updates, patches Hope this helps, Computernerd22