How to remove W32.Sasser Worm
W32.Sasser Worm
I went to work today from 8:00am to 4:00pm its typically slow on Sundays but it was slammed today call after call seems like every customer was getting infected with this nasty worm. Getting whats known as Log/nosurf (means you can connect but cant display webpages) hence the name log/nosurf. Also getting error messages like 'desktop over quota, RPC, NT AUTHORITY, systems counting down, rebooting, deleting applications etc...
So heres a short tutorial on how to detect it, un-install it, and remove it form your PC. Enjoy.
type: virus, worm
infection length 15,872 bytes
Systems affected - Windows 2000,XP, Windows Server 2003,
Systems not infected - Linux, MAC, Novell Netware, OS2, Unix
W32. Sasser worm is a worm that attempts to exploit ms04-11 vulnerability. It spreads by scanning randomly choosen IP address for vulnerable systems.
Attempts to connect to random generated IP addressess on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996.
The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554, and retrieve a copy of the worm. This copy will have a name consisiting of 4 or 5 digits followed by _up.exe (example 31337_up.exe)
How to remove it
1. Make sure you connect to the internet with some form of protection like enabling Internet Connection Firewall( ICF).
2. Press control + alt + delete to bring up Windows Task Manager.
3. Click process tab
4. Double click 'image name' to sort the processes.
5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe
If you find one , click it, and then click end process.
6.Exit the Task manager.
To download the tool instantly and completely remove this nasty worm can be found at http://vil.nai.com/vil/stinger or http://download.nai.com/products/mca...rt/stinger.exe
When done, reboot PC and make sure to visit http://v4.windowsupdate.microsoft.com/en/default.asp
for the latest updates, patches Hope this helps, Computernerd22
Re: How to remove W32.Sasser Worm
Quote:
Originally posted here by Computernerd22
W32.Sasser Worm
5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe
D variant uses skynetave.exe. The rest is the same.
Re: How to remove W32.Sasser Worm
If you knew how to secure your computer, browser, e-mail and knew about computer security then none of your computers would have ever been infected to begin with.
Trackit
Re: How to remove W32.Sasser Worm
If you knew how to secure your computer, browser, e-mail and knew about computer security then none of your computers would have ever been infected to begin with.
Trackit
Re: Re: How to remove W32.Sasser Worm
Quote:
Originally posted here by trackit
If you knew how to secure your computer, browser, e-mail and knew about computer security then none of your computers would have ever been infected to begin with.
How many machines do you actively administer? Someday you'll find out how difficult things get when you have to administer a couple of thousand machines.
Re: Re: How to remove W32.Sasser Worm
Quote:
Originally posted here by trackit
If you knew how to secure your computer, browser, e-mail and knew about computer security then none of your computers would have ever been infected to begin with.
How many machines do you actively administer? Someday you'll find out how difficult things get when you have to administer a couple of thousand machines.