The Sasser Worm & Symantec's FxSasser.exe..
Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: The Sasser Worm & Symantec's FxSasser.exe..

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    47

    The Sasser Worm & Symantec's FxSasser.exe..

    Hello Folks,

    Regarding the Sassers worm, many of the machines on the college network were hit, and kept crashing/rebooting with the Error Msg along the lines of ... has exprienced errors with the xxx/lsass.exe service. Shutting down in .... . I used the patch provided by Microsoft, and the Sassers removal tool from Symantec. http://securityresponse.symantec.com...val.tool.html.

    Given an infected machine, I first install the patch, let the system reboot and then run the removal tool. It always comes up saying the sassers worm was not found on the system. Does the patch take care of even worm removal? If so, why would Symantec even put up a Removal tool? I'd like to know if anyone tried using the removal tool before installing the patch.. me's just curious. Thanx

    _Scim_
    _scimitar_

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Check to see if this file is on the computer:

    %Windir%\avserve2.exe.

    Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

    Cheers:
    DjM

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by DjM
    %Windir%\avserve2.exe.
    The variant I've seen uses %windir%\skynetave.exe.

    Check the following registrykey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    There will be a key there pointing to either avserve2 or skynetave. Remove them.
    Reboot. After the reboot remove the file in %windir%. Your infection is now over.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Things with sasser have moved quick..

    At this time the current version of the Symantec removal tool is v1.0.3 any thing before this is dog waste..

    I wont repaeat waht has already been said.. other than. read the latest on Symantec's info page....

    OK guys.. I said about these guys beating around the door.. I suspect when they find the door, it wont be a door knock like this.. there will be a package..... it could be.. Knock knock..package..find five doors..open package.. lights out..

    cheers (I am cheery arent I)
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  5. #5
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by SirDice
    The variant I've seen uses %windir%\skynetave.exe.

    Check the following registrykey:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

    There will be a key there pointing to either avserve2 or skynetave. Remove them.
    Reboot. After the reboot remove the file in %windir%. Your infection is now over.
    Skynet , aren't those the clowns that wrote the Netsky family of viruses? Don't they have enough to do.

    Cheers:

    /EDIT

    This was posted on the SANS site this morning.

    Sasser 'fix' hoax e-mail
    This afternoon there is a hoax e-mail making the rounds purporting to be from an anti-virus vendor and claiming to have a clean up tool for Sasser attached. This is, in fact, a new NetSky variant. Anti-virus vendors will never send the tools as attachments in e-mail. Always check the vendor's web site for their latest clean up tools.
    Are we having fun yet?
    DjM

  6. #6
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    Sasser 'fix' hoax e-mail
    This HAS to be the ultimate in home delivery systems !!
    Dial a Pizza eat your heart out. I have to admit to a smidge of a smile at the cheek of it though.
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  7. #7
    Junior Member
    Join Date
    Apr 2004
    Posts
    4
    I'm not responsible
    s a s s e r
    [glowpurple]Live your best life - Oprah[/glowpurple]

  8. #8
    press f8 before xp startup, enter safe mode and run the cleaner tool.

    Has anyone done housecall.trendmicro in safe mode w/ networking? Is that functionality available in safe mode?

    Answering your question, the patch doesn't remove sasser, it just patched the vulnerability it exploits. So it is necessary to delete the virus using the removal tool.

    To cancel the shutdown notice, click start-run-type cmd in the run box- at the black command prompt- type shutdown -a

    That will allow you to work. I removed the worm with the symantec removal tool before the I installed the patch, because the network cutoff access to the boxes I fixed.

  9. #9
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Everyone is talking bout 'specific' removal tools. This makes me a bit unsure of things.

    A customer of mine was infected last night with the sasser worm. In the process lists, it showed up as avserve.exe, not avserve1 or 2. I instantly (on the infected box) ran norton AV, with full updates and it found the sasser worm. It could not disinfect it, so it quarantined it. After a couple of reboots, and a new scan, it found it again, so norton AV quarantined it again. After that i deleted the quarantined files (bla, how the **** do you spell quarantined ) and after more reboots and full system scans, the worm seems to be gone. Is that enough? Now the said box appears to be clean. I rescanned it this morning a few times, and it all shows ok. Or is the default latest Norton AV updates not enough?

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  10. #10
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Everyone is talking bout 'specific' removal tools. This makes me a bit unsure of things.

    A customer of mine was infected last night with the sasser worm. In the process lists, it showed up as avserve.exe, not avserve1 or 2. I instantly (on the infected box) ran norton AV, with full updates and it found the sasser worm. It could not disinfect it, so it quarantined it. After a couple of reboots, and a new scan, it found it again, so norton AV quarantined it again. After that i deleted the quarantined files (bla, how the **** do you spell quarantined ) and after more reboots and full system scans, the worm seems to be gone. Is that enough? Now the said box appears to be clean. I rescanned it this morning a few times, and it all shows ok. Or is the default latest Norton AV updates not enough?

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •