• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

The OSNN Definitive Sasser Virus Thread

Henyman

Secret Goat Fetish
Political User
#1
This is an atempt to clear up some confusion for all people who are, or may be infected with the sassar virus.
first step is to open internet explorer and go to:

https://www.microsoft.com/security/incident/sasser.asp

there you will find a simple test to see if your infected :cool: *note* i know i had to change my ie settings in Tools>>internet options>>Security and move the slider to low for the intenet in order for the test to run.

you can only be affected if you have not updated windows via windows update with the patch realesed on 13 April.
To help protect your computer against the Sasser worm and its variants, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 on Windows Update listed in the Critical Updates and Service Packs section
Basic virus info acording to Symantec:
When W32.Sasser.B.Worm runs, it does the following:

1. Attempts to create a mutex named JumpallsNlsTillt and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.

2. Attempts to create a mutex named Jobaka3. This mutex does not serve any apparent purpose.

3. Copies itself as %Windir%\Avserve2.exe.

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
4. Adds the value:

"avserve2.exe"="%Windir%\avserve2.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

5. Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer.

6. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

7. Iterates through all the host IP addresses, looking for addresses without any of the following:
* 127.0.0.1
* 10.x.x.x
* 172.16.x.x - 172.31.x.x (inclusive)
* 192.168.x.x
* 169.254.x.x

8. Using one of these IP addresses, the worm then generates a random IP address.
* 52% of the time, the IP address is completely random.
* 23% of the time, the last three octets are changed to random numbers.
* 25% of the time, the last two octets are changed to random numbers.

Notes:
* An octet is an 8-bit section of an IP address. For example, if A.B.C.D is an IP address, A is the first octet, B is the second, C is the third, and D is the fourth.
* Because the worm can create completely random addresses, any IP range can be infected.
* This process is composed of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.
9. Connects to the randomly generated IP address on TCP port 445 to determine whether a remote computer is online.

10. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.

11. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.

12. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.
removal tools and patches:
Sasser.A and Sasser.B Worm Removal Tool
Complete Removal link For All Variations
MS04-011 Security Bulletin Link
Stinger Removal Tool

Anitvirus companies:
Sophos
Norton
Trend Microsystems

news links:
BBC News
Eweek
OSNN Front Page
 

Henyman

Secret Goat Fetish
Political User
#8
i saw an opertunity to get the forums more hits and took it , as well as helping countless people :D
 

ming

OSNN Advanced
#10
Henyman said:
i saw an opertunity to get the forums more hits and took it , as well as helping countless people :D
Thinks you should get your post back on the forum. Takes almost a week before any news that I submit to get posted on the frontpage. :(
 

Henyman

Secret Goat Fetish
Political User
#13
he he sorry i just looked around at several different sites, post link + i'll edit my post ;) :cool: kinda hard tgo list every AV reponse :p
 
#18
Very helpful indeed, thanks Henyman ;). Although it would've been better had this thread was posted earlier. :(

I would also recommend this to remove the Sasser worms, as it helped me. ;)
 

j79zlr

Glaanies script monkey
Political User
#19
Just a sidenote really, I would think that after the Blaster worm and the hoopla it caused people would be more aware that they need to keep windows updated. Again the patch was release on April 13th, over 2 weeks before any widespread problems.
 
#20
j79zlr said:
Just a sidenote really, I would think that after the Blaster worm and the hoopla it caused people would be more aware that they need to keep windows updated. Again the patch was release on April 13th, over 2 weeks before any widespread problems.
Yes, and I have learned that lesson the hard way.
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,247
Members
89,019
Latest member
fontjohnson