The OSNN Definitive Sasser Virus Thread

Henyman

Secret Goat Fetish
Political Access
Joined
9 Jun 2002
Messages
9,606
This is an atempt to clear up some confusion for all people who are, or may be infected with the sassar virus.
first step is to open internet explorer and go to:

https://www.microsoft.com/security/incident/sasser.asp

there you will find a simple test to see if your infected :cool: *note* i know i had to change my ie settings in Tools>>internet options>>Security and move the slider to low for the intenet in order for the test to run.

you can only be affected if you have not updated windows via windows update with the patch realesed on 13 April.
To help protect your computer against the Sasser worm and its variants, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 on Windows Update listed in the Critical Updates and Service Packs section

Basic virus info acording to Symantec:
When W32.Sasser.B.Worm runs, it does the following:

1. Attempts to create a mutex named JumpallsNlsTillt and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.

2. Attempts to create a mutex named Jobaka3. This mutex does not serve any apparent purpose.

3. Copies itself as %Windir%\Avserve2.exe.

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
4. Adds the value:

"avserve2.exe"="%Windir%\avserve2.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

5. Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer.

6. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

7. Iterates through all the host IP addresses, looking for addresses without any of the following:
* 127.0.0.1
* 10.x.x.x
* 172.16.x.x - 172.31.x.x (inclusive)
* 192.168.x.x
* 169.254.x.x

8. Using one of these IP addresses, the worm then generates a random IP address.
* 52% of the time, the IP address is completely random.
* 23% of the time, the last three octets are changed to random numbers.
* 25% of the time, the last two octets are changed to random numbers.

Notes:
* An octet is an 8-bit section of an IP address. For example, if A.B.C.D is an IP address, A is the first octet, B is the second, C is the third, and D is the fourth.
* Because the worm can create completely random addresses, any IP range can be infected.
* This process is composed of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.
9. Connects to the randomly generated IP address on TCP port 445 to determine whether a remote computer is online.

10. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.

11. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.

12. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.

removal tools and patches:
Sasser.A and Sasser.B Worm Removal Tool
Complete Removal link For All Variations
MS04-011 Security Bulletin Link
Stinger Removal Tool

Anitvirus companies:
Sophos
Norton
Trend Microsystems

news links:
BBC News
Eweek
OSNN Front Page
 

Henyman

Secret Goat Fetish
Political Access
Joined
9 Jun 2002
Messages
9,606
cheers Xie, suprised i didn't make too many mistakes :p
 

rushm001

In the beginning......
Political Access
Joined
21 Sep 2002
Messages
3,484
The question is, can it affect cows?
 

Jewelzz

OSNN Godlike Veteran
Joined
5 Mar 2002
Messages
10,978
Trying to take over Enyo's place Henyman? :p

Nice post, thanks
 

Henyman

Secret Goat Fetish
Political Access
Joined
9 Jun 2002
Messages
9,606
i saw an opertunity to get the forums more hits and took it , as well as helping countless people :D
 

ming

OSNN Advanced
Joined
17 Jun 2003
Messages
4,252
Henyman said:
i saw an opertunity to get the forums more hits and took it , as well as helping countless people :D
Thinks you should get your post back on the forum. Takes almost a week before any news that I submit to get posted on the frontpage. :(
 

Henyman

Secret Goat Fetish
Political Access
Joined
9 Jun 2002
Messages
9,606
i have considered re joining news team ;) but i just dont have the time/patience @ mo :(
 

Howling Wolf

We did not deserve this !
Joined
11 Dec 2001
Messages
1,243
Henyman,

why the hell didn't you mention Kaspersky in your AV list ? My opinion, but it is the best AV around ;)
 

Henyman

Secret Goat Fetish
Political Access
Joined
9 Jun 2002
Messages
9,606
he he sorry i just looked around at several different sites, post link + i'll edit my post ;) :cool: kinda hard tgo list every AV reponse :p
 

Henyman

Secret Goat Fetish
Political Access
Joined
9 Jun 2002
Messages
9,606
try and keep this thread on topic ;)
 

Hsn

King
Joined
21 Oct 2003
Messages
1,082
Very helpful indeed, thanks Henyman ;). Although it would've been better had this thread was posted earlier. :(

I would also recommend this to remove the Sasser worms, as it helped me. ;)
 

j79zlr

Glaanies script monkey
Political Access
Joined
16 Feb 2003
Messages
2,725
Just a sidenote really, I would think that after the Blaster worm and the hoopla it caused people would be more aware that they need to keep windows updated. Again the patch was release on April 13th, over 2 weeks before any widespread problems.
 

Hsn

King
Joined
21 Oct 2003
Messages
1,082
j79zlr said:
Just a sidenote really, I would think that after the Blaster worm and the hoopla it caused people would be more aware that they need to keep windows updated. Again the patch was release on April 13th, over 2 weeks before any widespread problems.
Yes, and I have learned that lesson the hard way.
 

Members online

No members online now.

Latest profile posts

Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
Terrahertz wrote on Electronic Punk's profile.
Yo fellas!
Electronic Punk wrote on Sazar's profile.
Where are you buddy?
Perris Calderon wrote on Electronic Punk's profile.
Hey EP! All good with me, applying for Microsoft MVP right now, should have done this a while ago.

Notifications don't work, I only found your response by coming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier!
Perris Calderon wrote on Electronic Punk's profile.
EP, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there!

Forum statistics

Threads
61,997
Messages
673,411
Members
5,590
Latest member
AntonioPR