Replies

From a geek board
(found at http://www.antionline.com/showthread.php?s=b3a2d649823a28b14ebfc67c8f0886ff&threadid=257313):

type: virus, worm
infection length 15,872 bytes
Systems affected - Windows 2000,XP, Windows Server 2003,
Systems not infected - Linux, MAC, Novell Netware, OS2, Unix

W32. Sasser worm is a worm that attempts to exploit ms04-11 vulnerability. It spreads by scanning randomly choosen IP address for vulnerable systems.

Attempts to connect to random generated IP addressess on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996.

The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554, and retrieve a copy of the worm. This copy will have a name consisiting of 4 or 5 digits followed by _up.exe (example 31337_up.exe)

How to remove it

1. Make sure you connect to the internet with some form of protection like enabling Internet Connection Firewall( ICF).

2. Press control + alt + delete to bring up Windows Task Manager.

3. Click process tab

4. Double click 'image name' to sort the processes.

5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe

If you find one , click it, and then click end process.

6.Exit the Task manager.

To download the tool instantly and completely remove this nasty worm can be found at http://vil.nai.com/vil/stinger or http://download.nai.com/products/mc...ert/stinger.exe

When done, reboot PC and make sure to visit http://v4.windowsupdate.microsoft.com/en/default.asp

for the latest updates, patches Hope this helps, Computernerd22