W32/Sasser Worm

[Texas Diesel]

A friend who has XP has a worm called W/32Sasser.



I did a search and found:



http://vil.nai.com/vil/stinger/ and a page at MS and MS's patch.



Is there anything else I need to know how to do? I dont run XP and am unfamiliar with it.



Thanks

 

[Rman]

symantec has a good scrubber toget the virus off, i got it the other day. I'd get the patch directly from microsoft for XP.

 

[BHaner]

Link to my post on the NWB

 

[TboneMan]

At least they nailed the kid (yes a kid) that made this one.



He is allegidly responsible for the Netsky virus last year too.

 

[Texas Diesel]

Thanks all!!!

 

[TPCDrafting]

I did the patch and ran the fxsasser. exe on my xp machine about a week and a half ago. I got the w32. sasser worm off no problems. I got it again yesterday, but this time it's the w32. sasserE version and I can't seem to shake it. I've done everything symantec says to do. I was able to delay the shutdown process to almost 3 hours, updated NAV, downloaded the patches from mickey soft and got it all setup. Now NAV can find the worm, but it can't fix it. If I run the updated fxsasser. exe removal tool it run all the way through and says it can't find the worm on my drive. I think it has something to do with lsass. exe is a system process and I can't shut it down to remove the worm. Any other suggestions?:{

 

[Paychk]

Have you try to start and run the machine in safe mode? If you can get to safe mode, try to run the remover and see if that works.

 

[TPCDrafting]

Tried it

 

[thejeepdude]

If lsass. exe is infected, you should be able to boot from a floppy (if you're using fat) or a seperate instance of xp (there's utilities to put XP on a CD) and delete the infected copy of lsass. exe and copy over a new one...



However, when you install MS04-011 (fixes the problem that let sasser infect your pc in the first place), it replaces lsass. exe... I assume you did this? Also, if you'da been running a pc firewall (ie: zonealarm) then you wouldn't be having this problem either. Haven't had a virus on my computer since someone crashed my BBS back in the early 90's...

 

[JohnE]

Originally posted by TboneMan

At least they nailed the kid (yes a kid) that made this one.



He is allegidly responsible for the Netsky virus last year too.

Speaking of Netsky, even if they caught the creator it is still widespread. I'm getting 6 or more virus payload emails per day. Why do people click on suspicious emails?

No wonder the MIS folks call them ID 10 T errors.

 

[thejeepdude]

Originally posted by JohnE

Why do people click on suspicious emails?

:-laf duuuhhhh... they're the same kind of people that created this classic example:



#ad




STOOOOOOOOPID!

 

[JohnE]

Originally posted by thejeepdude

...

STOOOOOOOOPID!

Yep, ID 10 T errors are pretty widespread!

 

[TPCDrafting]

I upgraded this machine from ME to XP. Installed Earthstink and got online to update my virus software, update the Windows software and to download Zone Alarm. I didn't even open Outlook to check mail. The machine was infected merely by logging onto the internet. I'll try booting from floppy or CD and see if that works. Thanks.

 

[Texas Diesel]

Originally posted by TPCDrafting

The machine was infected merely by logging onto the internet.

That is what hapened to him.



Try this: http://www.microsoft.com/security/incident/sasser_printxp.asp



It helped him.

 

[JohnE]

Not W32/Sasser

I had hijacked the thread and was refering to the email style virus payload.



No offense intended on the real topic of Sasser.



One has to log on the internet to download the patch hmm.

Similar to standing up in the battlefield to see the enemy?



thejeepdude addressed the best defense especially if you are running a Microsoft OS higher than Win98, FIREWALL.

 

[TPCDrafting]

Well I followed all the directions at mickey soft .com and it didn't find anything still. Anyway, the worm seems to be in remission for now. NAV can still find it, but it's not doing anything to the performance of the computer that I can tell. Thanks all for the help. I am buying Zone Alarm over the counter instead of a 13240398578 hour download. Back to drafting... .