The OSNN Definitive Sasser Virus Thread

Henyman

Secret Goat Fetish
Political Access
Joined
9 Jun 2002
Messages
9,606
This is an atempt to clear up some confusion for all people who are, or may be infected with the sassar virus.
first step is to open internet explorer and go to:

https://www.microsoft.com/security/incident/sasser.asp

there you will find a simple test to see if your infected :cool: *note* i know i had to change my ie settings in Tools>>internet options>>Security and move the slider to low for the intenet in order for the test to run.

you can only be affected if you have not updated windows via windows update with the patch realesed on 13 April.
To help protect your computer against the Sasser worm and its variants, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 on Windows Update listed in the Critical Updates and Service Packs section

Basic virus info acording to Symantec:
When W32.Sasser.B.Worm runs, it does the following:

1. Attempts to create a mutex named JumpallsNlsTillt and exits if the attempt fails. This ensures that no more than one instance of the worm can run on a computer at any time.

2. Attempts to create a mutex named Jobaka3. This mutex does not serve any apparent purpose.

3. Copies itself as %Windir%\Avserve2.exe.

Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
4. Adds the value:

"avserve2.exe"="%Windir%\avserve2.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the worm runs when you start Windows.

5. Uses the AbortSystemShutdown API to hinder the attempts to shut down or restart the computer.

6. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

7. Iterates through all the host IP addresses, looking for addresses without any of the following:
* 127.0.0.1
* 10.x.x.x
* 172.16.x.x - 172.31.x.x (inclusive)
* 192.168.x.x
* 169.254.x.x

8. Using one of these IP addresses, the worm then generates a random IP address.
* 52% of the time, the IP address is completely random.
* 23% of the time, the last three octets are changed to random numbers.
* 25% of the time, the last two octets are changed to random numbers.

Notes:
* An octet is an 8-bit section of an IP address. For example, if A.B.C.D is an IP address, A is the first octet, B is the second, C is the third, and D is the fourth.
* Because the worm can create completely random addresses, any IP range can be infected.
* This process is composed of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.
9. Connects to the randomly generated IP address on TCP port 445 to determine whether a remote computer is online.

10. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.

11. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and to retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.

12. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.

removal tools and patches:
Sasser.A and Sasser.B Worm Removal Tool
Complete Removal link For All Variations
MS04-011 Security Bulletin Link
Stinger Removal Tool

Anitvirus companies:
Sophos
Norton
Trend Microsystems

news links:
BBC News
Eweek
OSNN Front Page
 
cheers Xie, suprised i didn't make too many mistakes :p
 
The question is, can it affect cows?
 
Trying to take over Enyo's place Henyman? :p

Nice post, thanks
 
i saw an opertunity to get the forums more hits and took it , as well as helping countless people :D
 
Henyman said:
i saw an opertunity to get the forums more hits and took it , as well as helping countless people :D
Thinks you should get your post back on the forum. Takes almost a week before any news that I submit to get posted on the frontpage. :(
 
i have considered re joining news team ;) but i just dont have the time/patience @ mo :(
 
Henyman,

why the hell didn't you mention Kaspersky in your AV list ? My opinion, but it is the best AV around ;)
 
he he sorry i just looked around at several different sites, post link + i'll edit my post ;) :cool: kinda hard tgo list every AV reponse :p
 
try and keep this thread on topic ;)
 
Very helpful indeed, thanks Henyman ;). Although it would've been better had this thread was posted earlier. :(

I would also recommend this to remove the Sasser worms, as it helped me. ;)
 
Just a sidenote really, I would think that after the Blaster worm and the hoopla it caused people would be more aware that they need to keep windows updated. Again the patch was release on April 13th, over 2 weeks before any widespread problems.
 
j79zlr said:
Just a sidenote really, I would think that after the Blaster worm and the hoopla it caused people would be more aware that they need to keep windows updated. Again the patch was release on April 13th, over 2 weeks before any widespread problems.
Yes, and I have learned that lesson the hard way.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back