sasser Worm

this is the latest thing to overwell microsoft

it has 2 variants (known as of 5/2/04 around 1:00pm)
sasser.a/sasser.b
they allong with the Agobot/Baobot and Phatbot are attacking machines unpatched by MS04-011

mostly this is about sasser

doesn't effect win 95, win 98, or win ME,
does effect win 2000, and XP

LSASS (local security authority subsystem service) is exploited and issued a shell command to invoke FTP.EXE to pull the random file over file is 15,872 bytes and is placed in systemroot\system32 (c:\windows\system32) and then executed it then copies itself to systemroot (c:\windows) and adds avserve.exe to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows\CurrentVersion\Run key. At this point it's running as LOCALSYSTEM logged on user. The original file (16210_up.exe) is left on the system, so there are now two copies

may ge error message

"lsass.exe - application error"
"the instruction "0x0083f878" referenced memory at 0x00000023", The memory could not be "read"
click ok to terminate the program
click cancle to debug the program""



windows error reporting will say something like
LSA Shell (export Version)
encountered a problem and needed to close.

solve by going to microsoft.com and on the right side right under a green picture that says "protect your pc..." is a link "Sasser worm alert: What to do" you can follow that.

basicly
1>disconnect from the internet

2>use task manager to kill the following (may see one or more (this list is growing))
*_up.exe
avserv*.exe
hkey.exe
msiwin84.exe
wmiprvsw.exe

3>make sure you have a firewall running at least windows

only do this next if you are comfortable with regedit
4> Use regedit to look for and remove any of these processes above
(note: when searching do not include ".exe" in the search except for "hkey.exe"

5>search for and delete the following files from the hardrive
-c:\windows\avserv*.exe
-c:\windows\system32\*_up.exe
-avserve*.exe
-hkey.exe
-msiwin84.exe
-wmiprvsw.exe

6>go to http://windowsupdate.microsoft.com s
scan for updates
install all critical updates and service packs

NOTE anytime you see * in a file name it stands for any # or order of #s 0-9, you can actually use it in a search if i am right.

this is all very new info and may be updates. or files names that i have missed
check microsoft.com.

sorry if this is old news but it is new to microsofts PC safty help line.

 

http://www.majorgeeks.com/vb/showthread.php?t=32099

We (XP) saw Sasser for the first time Friday night.

This was before Symantec had a name for it.

When will people learn to update....

 

skynetave.exe is a new process and file to watch for as an indicator of sasser

just learned this at 8:00am today

 

well i am working at this moment as i am typeing this in a call center microsoft pc safety and we are doing tech support for this virus (as well as other that effet windows) and they just walked around and emailed giveing us that update, moments before i put the post up.

 

You can't be serious.


msblast is one reg entry, a patch, and an exe to fix em up.

Welchia, a little more.

This takes far more to remove.

 

We had that problem with msblast too, robo. Not sure if its a symptom or broken digital signing.


Start the thread, I got a few ideas on how to help resolve it, if needed.

 

False.

Sasser spreads like msblast. It is not attached to anything you intentionally download.

There are three for sure constants when you connect to the net without using firewall, antiivirus, or updates.

1. msblast and/or variant.
2. welchia and/or variant.
3. sasser and/or variant.


You don't have to download a thing to get infected.

 

We get people calling XP support all the time screaming that we infected them with an update.

We just sit back and chuckle to ourselves

 

my thoughts are that this is completely false i have successfully removed the sasser viruses from multiple customers machines, not useing AVG at all but useing the removal tool and the the microsoft patch.

note: the microsoft removal tool you can find through www.microsoft.com
is good, but new things on this virus are comeing out often and microsofts removal tool is a bit behind,

if you have a major virus removal like norton use their tools on this they are better i think (some people at microsoft have even said this it is in argument)

 

MS removal tool: http://sstool.notlong.com

 

I hate it when people do that.

 

It isn't RPC initiating the shutdown. Its lsass.exe

Same result, different causes.


As for easy removal, msblast was initally one file and one reg entry.

This is multiple files and multiple entries.

Call me weird, but IMO that does not make it easier or as easy to remove as msblast.

 

really, i will have to ask about that, where i work we are actually doing xbox tech and windows virus stuff, they have me primarly on xbox only doing OT on the virus, so many times i am behind what the newest stuff is. thanks

i am wondering what deferintiates (sp) between what is a varient of a virus and a new virus all together??

i was the understanding that Sasser worm attacks LSASS (Local Security Authority Subsystem Service) which is in 2000 and XP but not versions before this. this isn't the kind of stuff i am so smart i just know on my own,
i don't know allot about virus or how they work. i only know what i know cause i am sittting here reading as i help people with this thing ... so it's like i know what i am doing but don't know why, allmost painfull