How to remove W32.Sasser Worm
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: How to remove W32.Sasser Worm

  1. #1
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    763

    How to remove W32.Sasser Worm

    W32.Sasser Worm

    I went to work today from 8:00am to 4:00pm its typically slow on Sundays but it was slammed today call after call seems like every customer was getting infected with this nasty worm. Getting whats known as Log/nosurf (means you can connect but cant display webpages) hence the name log/nosurf. Also getting error messages like 'desktop over quota, RPC, NT AUTHORITY, systems counting down, rebooting, deleting applications etc...

    So heres a short tutorial on how to detect it, un-install it, and remove it form your PC. Enjoy.


    type: virus, worm
    infection length 15,872 bytes
    Systems affected - Windows 2000,XP, Windows Server 2003,
    Systems not infected - Linux, MAC, Novell Netware, OS2, Unix

    W32. Sasser worm is a worm that attempts to exploit ms04-11 vulnerability. It spreads by scanning randomly choosen IP address for vulnerable systems.

    Attempts to connect to random generated IP addressess on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996.

    The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554, and retrieve a copy of the worm. This copy will have a name consisiting of 4 or 5 digits followed by _up.exe (example 31337_up.exe)

    How to remove it

    1. Make sure you connect to the internet with some form of protection like enabling Internet Connection Firewall( ICF).

    2. Press control + alt + delete to bring up Windows Task Manager.

    3. Click process tab

    4. Double click 'image name' to sort the processes.

    5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe

    If you find one , click it, and then click end process.

    6.Exit the Task manager.

    To download the tool instantly and completely remove this nasty worm can be found at http://vil.nai.com/vil/stinger or http://download.nai.com/products/mca...rt/stinger.exe

    When done, reboot PC and make sure to visit http://v4.windowsupdate.microsoft.com/en/default.asp

    for the latest updates, patches Hope this helps, Computernerd22

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Excellent post CN22. I just got to work to find that no one has updated our remote scanner yet, so now I get the joy of adding a few more ports to the list, another entry into the legend and adding a few links to the info pages of the scanning system. Since I have to add more functionality to the scanner I guess it isn't that bad... however this worm seems to be hitting rather hard.. I can't wait to see what kind of damage it causes. Anyways good posts and thanks for the links.... I'll definately put them to good use.

    Peace
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Just one thing, if anyone has AVG installed, the name of the resident guard process is avgserv.exe . Do not confuse this with avserve.exe or avserve2.exe. Otherwise, great post.
    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Computernerd22, excellent post.
    Just have a few more techincal details to add

    The actual registry entry Sasser makes is:
    "avserve2.exe"="%Windir%\avserve2.exe" (or)
    "avserve.exe"="%Windir%\avserve.exe" (Depending on the version of Sasser) in
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    (this is for those bold enough to do registry editing themselves. )

    Symantec also provides a removal tool known as FxSasser.exe which can be downloaded Here
    For full instructions of what this tool does and how to use it, go Here
    (it's about midway through the page).

    btw Computernerd22, that Stinger is an awesome find. nice work.

    note: Trojan.Adwaheck is apparently our newest pain in the ass. read more about it
    Here
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #5
    Member
    Join Date
    Feb 2003
    Posts
    47
    Sorry, I hadn't seen this thread earlier. Wouldn't have started a somewhat similar thread

    Another question regarding the sasser worm. It generates a good amount of network traffice by trying to find machines on the same subnet. That causes ARP floods all over the network. At least the network congestion is not as bad as it gets with a Blaster infection. However, how does one cope with this sorta ARP floods leaving aside patching (assuming some machines cannot be accessed.. e.g end user personal machines). I thought using the Fake ARP daemon (farpd) to answer ARP requests such that all IPs seem taken might help. [My farpd was from the Phlak distribution. It can also be dloaded from here ]. However this isn't really working, the arp requests are still flooding the network. So have I got my logic wrong? Thanx..

    Scim

    P.S: And, does anyone here have any experience with farpd. I dunno how to even check if the program is working or not...
    _scimitar_

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: How to remove W32.Sasser Worm

    Originally posted here by Computernerd22
    W32.Sasser Worm
    5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe
    D variant uses skynetave.exe. The rest is the same.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Junior Member
    Join Date
    May 2004
    Posts
    17

    Re: How to remove W32.Sasser Worm

    If you knew how to secure your computer, browser, e-mail and knew about computer security then none of your computers would have ever been infected to begin with.

    Trackit

  8. #8
    Junior Member
    Join Date
    May 2004
    Posts
    17

    Re: How to remove W32.Sasser Worm

    If you knew how to secure your computer, browser, e-mail and knew about computer security then none of your computers would have ever been infected to begin with.

    Trackit

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: Re: How to remove W32.Sasser Worm

    Originally posted here by trackit
    If you knew how to secure your computer, browser, e-mail and knew about computer security then none of your computers would have ever been infected to begin with.
    How many machines do you actively administer? Someday you'll find out how difficult things get when you have to administer a couple of thousand machines.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: Re: How to remove W32.Sasser Worm

    Originally posted here by trackit
    If you knew how to secure your computer, browser, e-mail and knew about computer security then none of your computers would have ever been infected to begin with.
    How many machines do you actively administer? Someday you'll find out how difficult things get when you have to administer a couple of thousand machines.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides