-
May 3rd, 2004, 05:40 PM
#1
Member
The Sasser Worm & Symantec's FxSasser.exe..
Hello Folks,
Regarding the Sassers worm, many of the machines on the college network were hit, and kept crashing/rebooting with the Error Msg along the lines of ... has exprienced errors with the xxx/lsass.exe service. Shutting down in .... . I used the patch provided by Microsoft, and the Sassers removal tool from Symantec. http://securityresponse.symantec.com...val.tool.html.
Given an infected machine, I first install the patch, let the system reboot and then run the removal tool. It always comes up saying the sassers worm was not found on the system. Does the patch take care of even worm removal? If so, why would Symantec even put up a Removal tool? I'd like to know if anyone tried using the removal tool before installing the patch.. me's just curious. Thanx
_Scim_
-
May 3rd, 2004, 06:14 PM
#2
Check to see if this file is on the computer:
%Windir%\avserve2.exe.
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
Cheers:
-
May 4th, 2004, 01:16 PM
#3
Originally posted here by DjM
%Windir%\avserve2.exe.
The variant I've seen uses %windir%\skynetave.exe.
Check the following registrykey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
There will be a key there pointing to either avserve2 or skynetave. Remove them.
Reboot. After the reboot remove the file in %windir%. Your infection is now over.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
May 4th, 2004, 01:37 PM
#4
Things with sasser have moved quick..
At this time the current version of the Symantec removal tool is v1.0.3 any thing before this is dog waste..
I wont repaeat waht has already been said.. other than. read the latest on Symantec's info page....
OK guys.. I said about these guys beating around the door.. I suspect when they find the door, it wont be a door knock like this.. there will be a package..... it could be.. Knock knock..package..find five doors..open package.. lights out..
cheers (I am cheery arent I)
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
May 4th, 2004, 03:13 PM
#5
Originally posted here by SirDice
The variant I've seen uses %windir%\skynetave.exe.
Check the following registrykey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
There will be a key there pointing to either avserve2 or skynetave. Remove them.
Reboot. After the reboot remove the file in %windir%. Your infection is now over.
Skynet , aren't those the clowns that wrote the Netsky family of viruses? Don't they have enough to do.
Cheers:
/EDIT
This was posted on the SANS site this morning.
Sasser 'fix' hoax e-mail
This afternoon there is a hoax e-mail making the rounds purporting to be from an anti-virus vendor and claiming to have a clean up tool for Sasser attached. This is, in fact, a new NetSky variant. Anti-virus vendors will never send the tools as attachments in e-mail. Always check the vendor's web site for their latest clean up tools.
Are we having fun yet?
-
May 4th, 2004, 10:45 PM
#6
This HAS to be the ultimate in home delivery systems !!
Dial a Pizza eat your heart out. I have to admit to a smidge of a smile at the cheek of it though.
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
May 4th, 2004, 11:01 PM
#7
Junior Member
I'm not responsible
s a s s e r
[glowpurple]Live your best life - Oprah[/glowpurple]
-
May 4th, 2004, 11:25 PM
#8
press f8 before xp startup, enter safe mode and run the cleaner tool.
Has anyone done housecall.trendmicro in safe mode w/ networking? Is that functionality available in safe mode?
Answering your question, the patch doesn't remove sasser, it just patched the vulnerability it exploits. So it is necessary to delete the virus using the removal tool.
To cancel the shutdown notice, click start-run-type cmd in the run box- at the black command prompt- type shutdown -a
That will allow you to work. I removed the worm with the symantec removal tool before the I installed the patch, because the network cutoff access to the boxes I fixed.
-
May 5th, 2004, 07:26 AM
#9
Everyone is talking bout 'specific' removal tools. This makes me a bit unsure of things.
A customer of mine was infected last night with the sasser worm. In the process lists, it showed up as avserve.exe, not avserve1 or 2. I instantly (on the infected box) ran norton AV, with full updates and it found the sasser worm. It could not disinfect it, so it quarantined it. After a couple of reboots, and a new scan, it found it again, so norton AV quarantined it again. After that i deleted the quarantined files (bla, how the **** do you spell quarantined ) and after more reboots and full system scans, the worm seems to be gone. Is that enough? Now the said box appears to be clean. I rescanned it this morning a few times, and it all shows ok. Or is the default latest Norton AV updates not enough?
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
May 5th, 2004, 07:26 AM
#10
Everyone is talking bout 'specific' removal tools. This makes me a bit unsure of things.
A customer of mine was infected last night with the sasser worm. In the process lists, it showed up as avserve.exe, not avserve1 or 2. I instantly (on the infected box) ran norton AV, with full updates and it found the sasser worm. It could not disinfect it, so it quarantined it. After a couple of reboots, and a new scan, it found it again, so norton AV quarantined it again. After that i deleted the quarantined files (bla, how the **** do you spell quarantined ) and after more reboots and full system scans, the worm seems to be gone. Is that enough? Now the said box appears to be clean. I rescanned it this morning a few times, and it all shows ok. Or is the default latest Norton AV updates not enough?
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|