Sasser Worm Infects Thousands of Computers Worldwide

Bloomberg ^ | May 3, 2004

[FourPeas]

May 3 (Bloomberg) -- A computer worm called Sasser may have infected hundreds of thousands of computers through the Internet and is still spreading, possibly disrupting business today, a security software expert said.

The worm, which is different than a virus because it doesn't need to be attached to an e-mail to spread, causes a computer to shut down and then reboot several times, apparently without causing any permanent damage, said Mikko Hyppoenen, director of virus research with Helsinki-based F-Secure Oyj. The worm was detected Saturday at 4 a.m. Finnish time, he said.

[CyberCowboy777]

W32.Sasser Removal Tool

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

[CyberCowboy777]

Symantec tools always throws up the warning that you must be an administrator, even if you are an admin on the box.

Run the tool - if you get a error, you will need to login with the default Administrator account (hopefully you know the password!)

[FourtySeven]

Cool, thanks! Very interesting. The bottom line is though that running a firewall should stop most of these kind of attacks, right?

[IamHD]

My daughter has up to date Norton, and also has zonealarm, and she still got hit with Sasser b. variant. She didn't even have a chance to finish downloading the patch and it shut her computer down. :(

[IamHD]

Okey, dokey...Well, the admin has either got to be Gateway, or her. I'll try it before I try to manually delete it. Thanks. I just hate messing with the registry, which I'm going to have to do. I've had to deal with the blaster worm and was able to get rid of that, but I'm just a mom, not a computer genius. :)

[CyberCowboy777]

Firewall and up-to-date AntiVirus.

Most folks have no need for FTP and other TCP ports being open, shut them down.

CABLE USERS - Many Broadband companies will sell you a cable modem (SurfBoard is common) and you will be able to get on the Internet. However I highly suggest you purchase a Cable/DSL router and put it in between your Cable Modem and PCs. A Router with a 4 port switch (for 4 PCs) can cost as little as $50.00 and the control and protection it will give you is priceless.

These Routers will have a easy to use Web Interface and a manual for setup. The Firewall functions can usually be set to default High Level Security to block all uninitiated inbound TCP ports.

[FourPeas]

IF the firewall is properly configured.

[N3WBI3]

Don't start that. I have been a Mac user for well over 15 years and I have had my share of viruses. Not many, but enough to be annoyed by them.

More than 20,000 recorded viruses for the wintel environment vs less than 100 for mac... Ill take your annoyance over putting my helpdesk on suicide watch any day?

And now that the Mac uses Unix, they are now even more of a target.

Interesting, do you have anything to back that up with?

[rwfromkansas]

I recently had something get onto my computer that has installed a lot of adware.

I have Spybot Search and Destroy, Norton AV, Ad Aware, and Swat It.

I have run all of them, but something obviously can't be removed since I notice every time I go back into Ad-Aware another huge number of adware files is in there, so the main suspicious program has not been fully removed.

Any advice on what to do?

[CyberCowboy777]

If you can't get admin privileges manual removal will not work either as the right the tool needs are the same rights you will need - registry control.

Try to get logged in as the "administrator". Whomever installed the O/S should know the password.

If she has been installing software and the like then she likely has some advanced user rights at a minimum.

[FourPeas]

Just for grins, here's the Microsoft link on Sasser

[Ichneumon]

More than 20,000 recorded viruses for the wintel environment vs less than 100 for mac...

What a coincidence... That's also roughly the ratio of useful Windows applications to Mac applications, and Windows users to Mac users...

[zeebee]

I have been a Mac user for well over 15 years and I have had my share of viruses.

Somehow I cannot believe that. I have only seen one mac virus and it was on someone else's machine 10 years ago.

And now that the Mac uses Unix, they are now even more of a target.

Don't think so. Now they are even more secure.

[al_c]

Me? Humorless?! ;o)

[FourPeas]

From a geek board
(found at http://www.antionline.com/showthread.php?s=b3a2d649823a28b14ebfc67c8f0886ff&threadid=257313):

type: virus, worm
infection length 15,872 bytes
Systems affected - Windows 2000,XP, Windows Server 2003,
Systems not infected - Linux, MAC, Novell Netware, OS2, Unix

W32. Sasser worm is a worm that attempts to exploit ms04-11 vulnerability. It spreads by scanning randomly choosen IP address for vulnerable systems.

Attempts to connect to random generated IP addressess on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996.

The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554, and retrieve a copy of the worm. This copy will have a name consisiting of 4 or 5 digits followed by _up.exe (example 31337_up.exe)

How to remove it

1. Make sure you connect to the internet with some form of protection like enabling Internet Connection Firewall( ICF).

2. Press control + alt + delete to bring up Windows Task Manager.

3. Click process tab

4. Double click 'image name' to sort the processes.

5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe

If you find one , click it, and then click end process.

6.Exit the Task manager.

To download the tool instantly and completely remove this nasty worm can be found at http://vil.nai.com/vil/stinger or http://download.nai.com/products/mc...ert/stinger.exe

When done, reboot PC and make sure to visit http://v4.windowsupdate.microsoft.com/en/default.asp

for the latest updates, patches Hope this helps, Computernerd22

[al_c]

I didn't say it was as common as Windows viruses, but the ones for Mac do exist.

[al_c]

More than 20,000 recorded viruses for the wintel environment vs less than 100 for mac... Ill take your annoyance over putting my helpdesk on suicide watch any day?

LOL. Agreed.

Interesting, do you have anything to back that up with?

Unix is more widely used than the old Mac OS, therefore probably more widely targeted.

[general_re]

We are doing so from the Internet, but we have more than a thousand outside PC's that connect via RAS or VPN, and they tend to be the weak link in our security.

Ah, there's always a catch, isn't there? ;)

Good luck - sounds like you guys are being solidly proactive, but I'll cross my fingers for ya just in case..

[FourPeas]

outside PC's that connect via RAS or VPN

That sounds familiar: Crackdown.

[OC_Steve]

Yeah I hear ya, I spent a beautiful Sunday morning in Houston playing phone support to my Dad. He at least called Microsoft to get some help, but when it looked like he would be on hold for 4 hours, he called me. Had him cleaned up in 30 minutes.