Hi peeps,

currently installing another Dell (arrgghhh I hear some of you cry!).

Anyway, W32.Sasser.Worm managed to download itself and penetrate the system within 5 seconds of connecting to broadband for the first time, hence before I managed to do an anti-virus updated.

The Symantec website (http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html) doesn't have much info on it yet as it only came out yesterday but it apparently uses an MS exploit.

I strongly recommend everyone runs an update to their anti-virus as well as the windows update to avoid getting this worm. Activate a firewall too if you can.

Symptoms I have seen so far are that the system slows down big time and eventually reboots automatically (like Blaster did last year). It also disables Norton Anti-Virus and plays havoc to the Internet connection.

Cheers
Charles

Well, amofw, you can come and install a Dell at my place anytime!

What concerns me about some of the latest Viruses (virii?) is their ability to disable Norton AV. I'm not even going to ask how they achieve this, but how do you detect that NAV has been disabled? Presumably it appears to run without detecting anything, but the system just gets slower and s-l-o-w-e-r.

Second question - once you have deduced that NAV has been nobbled, how do you get it back to doing what it should be doing? Clean install?

Feeling a bit sensitive about viruses at the moment - last week was back at a site where I picked up a W32.BleBla worm last year. And one of the students had exactly the same symptoms that I experienced last year (unable to save document on any drive because "Disk Full"). But NAV gives the system a clean bill of health. So I just wonder whether NAV has been nobbled.

Comments anyone?

Well, my NAV is giving a last definition date of yesterday - just checked Windows Update and I have no critical updates outstanding on my XP system (last checked 2 or 3 weeks ago). However Sasser made the BBC news tonight here in the UK.

Thanks fot this post amon. I got the bloody thing yesterday, system was shutting down after a few minutes of connection. Report was saying it was the lsass.exe. But of course thanks to the links on PPRuNe given by other posters i was able to get the info from Symantec and go into the regedit and hey presto! there it was, avserve.exe, just calmly sitting there causing havoc.......

Its now gone, no damage and I installed Zone Alarm Pro yesterday, never heard of it before and I'm really impressed by it, very easy to use and it adapts to my use so it knows what to trust.

I've also downloaded all patches from MS in Windows Update. I'd advise all PPRuNErs to do the same....

Detailed guidance and a fast check to see if you are infected is at http://www.microsoft.com/security/incident/sasser.asp

Didn't get the virus but I can't download the relevant Windows XP Update ( KB835732).Tried several times but it gets so far then stops.The checker mentioned above only works if you have successfuoly installed KB835732.Anybody got any ideas on the installation problem? Thanks.

Hi Soddit,

Go here (http://www.belarc.com/free_download.html) and install the Belarc Advisor. It will open a page in your browser and tell you (amongst lots of other things) what updates you have installed previously. Check to see if you already this one. There is no way on earth that M$ will have brought out a patch specifically for Sasser this quickly, so it may be that it's trying and failing to overwrite a previously installed update.

If you don't already have the worm, then an update for your AV will be enough to protect you until M$ sort this patch out. A quick trip to Googleland shows that it can cause more problems than it fixes.. just one being 99% CPU activity, and the recommendation to uninstall it anyway.. :)

Hope that helps..

Cheers

Liam

Liam..

That is very kind.Complete answer to my question.Plus a very useful bit of software.Thank you so much .Soddit.:)

You're welcome.. :ok:

E-Liam,

Microsoft issued the fix (http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en) for this worm some two weeks ago, so I can't see why you think they're no on the ball in this case?

Feline,

when I discovered sasser on this client's PC I did a ctrL+alt+delete and terminated anything that looking suspicious. Also did ran "msconfig.exe" and stopped various suspect application from starting - including avserve.exe. Then rebooted and ran NAV update and full scan as well as Windows update. Also checked and removed the avserver.exe entry in the registry. Activating the firewall might have helped too.

Norton was shown as being disabled 'cause it had a cross on the tray icon and if you hovered over it the icon dissapeared. No exactly black magic innit??!

Cheers
Charles

Yeah, well - If I saw a blerry great cross over the NAV icon in the system tray, then even I might (dimly) realise that something was amiss ... But then I was labouring under the (erroneous) impression that NAV could get nobbled without any such overt sign - weren't I?

I do remain a tad suspicious of NAV and its abilities to pick up viruses as they reach my system - ran a complete system check today (which took longer than I care to think about) and it found 13 viruses. (None of them were Sasser I might add).

How come, I ask myself, did these get there in the first place if the virus scanner was permanently switched on? Maybe a couple of holes in the magic robe?

And you still haven't answered my question as to how you realised you copped Sasser in the first place - was it the fact that NAV had been visibly nobbled, or was it because the system suddenly started behaving like a crippled donkey, or did you have an amazing flash of inspiration that told you to run msconfig, and/or Ctrl-Alt-Del and go look for avserver.exe?

Please amofw - not being sarcastic, just interested to know because I suspect myself of extreme paranoia when my system runs a bit slow and find myself wondering whether NAV isn't jusy a wee bit behind the bleeding edge on occasion ...

I'm really beginning to think in terms of installing a basic entry level system as my interface to the outside world, on the basis that if I have the slightest suspicion that something untoward is happening I will just restore it from a (known good) mirror image and carry on my happy way ...

Hi Amofw,

I just re-read my post.. :)

It could be miscontrued I suppose, but it does say what I wanted it to say.. in that the fix wasn't specifically written to combat the Sasser worm, but to plug yet another hole in the sieve. Sasser exploits this after the fact. I was pointing out that the patch may already have been installed as it, by the very nature of M$s updates, would not have been written in the last two days and... it wasn't. :)

Agreed it could have been worded better, so if there was any mis-understanding, then I apologise... :D :ok:

Cheers

Liam

Well, my system started to shut down on Saturday and the report stated it was the lsass.exe file. When it wasn't shutting down and with the browser and e-mail closed, the system was sending and receiving data on its own accord! (I have dial up and could see the icon) my system also slowed right down....

Luckily I could stay connected long enough to go to the Symantec website and they gave me the easy to follow steps and I went to regedit and deleted avserve.exe and then yesterday ran the fix and it deleted the virus.

There was no indication on my NAV that it was switched off or there was anything wrong. And I had all the latest updates....

Thanks for the Belarc tip E-Liam

Mac

Gotcha e-liam - M$ writes the fix, then comes Mr Cretin and writes the worm as he's clever enough to know that 99% of users still don't bother updating windoze - I take it that's what you meant.

Feline, I don't recall the exact sequence of events as I was sitting there sweating with the customer breathing down my neck "is everything allright every 5 mins", "fine don't worry, go make another cuppa tea.."... BUT, I do recall the PC slowing down to a point I thought he might have bought a Celeron processor but my suspicions were awoken when I saw it was a P4 3.0, and that it seemed to stall quite a lot. I managed to run the NAV update and ran a full system scan, and hey presto Sasser came out. The rest as they say is history.

By the way, when I said it ain't black magic, I was talking about my own skills, I'm no Harry Potter. ;)

Charles

ps. you might get viruses slipping though if they creep into your system in between updates - in the last few days my NAV has updated 3-4 times, might want to check that yours is set to auto-update too.

Do remember that Norton releases AV updates as soon as they are available - but that some may require manual download. An example is the latest fix for Sasser D which was released only a few hours ago....

See http://www.sarc.com/avcenter/venc/data/w32.sasser.d.html for more information.

Liam, thanks for the Belarc link - excellent tool.

Amofw, thanks you for your link to the M$ fix for the worm. My son has a non-updated computer (XP Home), but was smart enough not to log on when he heard that the worm was in the wild. I downloaded the M$ fix to a memory stick, installed it on his machine and now it's on-line catching up on his updates. Only 3 hours to go at 40k:{

AA

I have recently moved house (I live in Philippines), and only on Friday did I manage to get phone line and ADSL connected, and that is when my Norton Antivirus went wrong, so it may or may not be to do with the Sasser worm.

Norton Auto Protect was somehow disabled as well as email screening, no way could I enable them, so eventually uninstalled and reinstalled, so now of course my virus definitions are hopelessly out of date, but live update won't work and I cannot even connect to Symantec to do a manual download. This leaves me somewhat vulnerable. I have tried numerous times.

I have downloaded theMS KB 835732 and the detection tool and I have ZoneAlarm, so it could be worse. Can anyone give me a clue as to what may be wrong? Is the Symantec site down?

Thanks, and the Belarc Advisor is GOOD.

lofty50,

one of the obvious clues is that you'll have avserve running in the background - if you do a ctrl+alt+del you'll see it the list of running processes and you should be able to kill it there, albeit temporarily.

You can also, depending on your OS, run msconfig.exe
(start--->run) and disable avserve.exe from the startup list. In this case you'll need to reboot and try liveupdate once more.

And download the M$ patch as mentioned in one of my previous posts.

hth
Charles

Charles

Thanks for your reply, but no avserve showing anywhere. I can see isass.exe mentioned by a previous poster, and also Navapsvc.exe which sounds somewhat similar to avserve?

It has occured to me that as I have reinstalled NAV I need to reregister, I doubt it but I will try that anyway.

The odd thing is that I cannot get connected to the Symantec website either, in addition to not being able to run Live update. As I mentioned I have the MS patch already.

How 'bout trying the Stinger (http://vil.nai.com/vil/stinger/) - mcAfee "Swiss Army Knife" for anti-virus detection and removal?

Charles

Don't think I have any virus, just a problem getting to update NAV. Why I don't know, but it did happen the same day I changed my ISP. I can do full scan, everything clean. I have always meticulously kept NAV and MS fully updated after major probs 18 mos ago. Just can't update NAV after reinstalling. Is there a setting I am missing perhaps?

Lofty - Apart from LiveUpdate, there is another way of downloading and updating your virus definitions. Go to http://securityresponse.symantec.com/avcenter/defs.download.html and download them (the file is about 4.7Mb). Once you have downloaded them, doubleclick on the file and it will update your virus definitions.

I use this method quite often because I'm never quite sure that LiveUpdate has downloaded enough code while I'm logged on - I use dial-up and sometimes LiveUpdate can be very slow (site congestion I imagine).

Feline

Thank you for that, but as I have already mentioned I cannot get into the Symantec site for a manual download. There are no other problems accessing any other website, just Symantec. I am baffled why this should be and welcome any clues from anyone.

ONE tip I will give, and that has never let me down!

Go to www.grc.com and click on 'Shields Up' it will tell you if your computer is open to possible 'attack' or not. But DO get the Microsoft patches first. Just go to Windows Update. Not necessary for a few operating systems so check.

While you are there you may find other things you can use and this Guy Steve really does know what he is talking about. The FBI use him as do the CIA and he been known to assist the Met Police.

So, for what it's worth, and it is good, go get it is my advice.

lofty50,

just spent three hours with a client whose machine is displaying the same symptoms you are having.

It stops you accessing any virus-removal site - I tried NAV, McAfee, Sophos, Trend, AVG (Grisoft) and others.

Liveupdate does not work and NAV gets disabled soon after start-up.

Windows update are also not installing although all the right screens appear but the number of critical updates remains at 37. Tried to download an install Win 2k SP4 but that got cut off.

I have tweaked the startup process with a utility similar to msconfig.exe - removed anything that look suspicious. I scanned the registry for any clues. I ran ad-aware and installed Zone Alarm.

I scanned the system using Stinger in safe mode and it did remove a couple of minor worms and viruses but essentially didn't result in any change to the situation.

All to no avail.

I am currently scanning the disk using my PC and the disk as secondary unit.

My next option will be to reformat and re-install everything, including windows updates etc.

Will let you know if I find anything useful during the current scan I'm doing.

Charles

amon,

I'm sure you've tried this but here's the removal tool itself,

removal tool (http://securityresponse.symantec.com/avcenter/FxSasser.exe)

If that doesn't work I could e-mail you the fix? Its only 150kb

You can check to see if your PC is infected here at Microsoft Security (http://www.microsoft.com/security/incident/sasser.asp)

Hi Amofw,

Before you format, could you send me a Hijack this log of the machine please. I'd like to see what it's up to on the inside, if you don't mind. I'm off out in a minute, but I'll be back later (11.30ish UK) and I should be able to help. :ok: :)

Cheers

Liam

Thanks OneWorld22 and Wedge - but I don't think Sasser is the culprit in this case - I ran the latest version of Stinger which looks for two variants of Sasser - and the symptoms are different but there as similar lofty50's problem. This is taking off a tangent somewhat.

I just completed another full scan with the disk as secondary in my own PC - it came clean so I'm left with a reformat. However I will try hijack this and let you know what's up E-Liam - thanks for the suggestion.

Cheers
Charles

AMANOFFEWWORDS, Mike Jenvey, PPRUNE POP, Wedge et al

Thanks for all your replies and advice, I am 7 hours ahead of you guys in UK so a time lag in my reply.
NAV now has auto protect and email scanning enabled, but also ZoneAlarm has email scanning so I feel moderately safe but desperately need to get NAV updated. I have the MS Sasser patch and the removal tool and have run adware, seems the only prob is update.
I have noted all your advice and will try now to get my NAV updated.

Cheers

Mike Jenvey

The Symclean is only for Norton System Works which I don't have (only NAV) so didn't run it.

_________________________________________________

PPrune Pop

Shields Up seems very good, however all it did was confirm I have an exceptionally well protected computer, I only had to load Unplug 'n' Pray. I'd recommend everyone to use this excellent utility.

By the way the time is wrong! Showing GMT +7 here. Just because u went to BST, it doesn't change GMT +8 here!!!

Oh Sh1te

Auto protect and email scanning disappeared off NAV again. Trying a reboot.

Lofty50,

on my client's pc I applied winsock fix (http://members.shaw.ca/techcd/VB_Projects/) as suggested by fobotsco in an earlier unrelated post and the updates work again. However it was still stopping IE from accessing Symantec et al so I got rid of it and put Mozilla Firefox in its place and it all works ok now.

Now just got to try and sort his email out...

hth
Charles

amanoffewwords

Here's what I did, first upgraded to ZoneAlarm Pro and cleaned out all tracking cookies and leaned cache. Then (thro' Google) I ran an online antivirus from
http://housecall.trendmicro.com/housecall (I had to disable ZoneAlarm first), that found the AGOBOT.IM worm, noncleanable but I deleted the affected file, then to be doubly sure I ran activescan online from www.pandasoftware.com/activescan/com/activescan_principal.htm which showed all clear, and by the way scans emails also.
I then reinstalled NAV, which worked okay and live update seems to have worked, and then reactivated ZoneAlarm. Then I tried to access Symantec - guess what - no joy. Going to try again.
Can you please post the site to get the
Mozila Firefox.

Don't know why but the activescan url came out funny, I'll try again.
www.pandasoftware.com/activescan/com/activescan_principal.htm

after the first activescan it should be /com/activescan_principal.htm

You guys have left me standing. Any quick way to get rid of Sasser worm from my XP?...MSN download cuts off..and take 2 hours estimated...Mcfee doesn't seem to stop it.. I am not an easy user of computers..do you suggest I pass it to an expert.
PS I scanned my files and c:\windows\system32\wins\SVCHOS infected...so I followed McFee advice and deleted it when it proved 'non cleanable. I am using my 'old' computer Windows 95 to post this.

First hit CTRL+ALT+DEL and have a look at your task manager and processes. If you see avserve.exe end it straight away!

Then go into your regedit, (go to Start and then run and type in regedit)

Click on: HKEY_LOCAL_MACHINE then SOFTWARE then MICROSOFT then WINDOWS then RUN

If you see avserve.exe listed there with your other programs then delete it....(Back up your registry first just in case!)

Thanks 'Jolly Green Giant' I used to tell my kids bedtime stories based on a 'jolly green giant' taken from the tin of sweetcorn ! !

I will try your suggestion.

If that doesn't work I will rush into symantec again and download sasser 'b' version before the worm closes me down again...I usually have 3 minutes.

Just a thought if I restore the file I deleted last night that McFee could not clean, could symantec clean/neutralise it I wonder. Sounds dangerous to me.

Here i go again ..today is a computer day...the sim computer needed rebooting ...the ADF in the aircarft locked onto the nearest CuNimb...life was much simpler when all I had was one radio and a DI.

Good news guys, this a.m. I have been able to access Symantec and down load Intelligence Updater. So now fully up to date and protected all round with extra protection with activescan and trendmicro, both of which work much faster than a NAV scan.

I have a suspicion that after reinstalling NAV you cannot do liveupdate or manual update until you perform a complete scan, I tried to bypass this as it is so slow, and I was confident I was clean.

I trust you have sorted your probs finally amofw.

Cheers everybody and thanks for all the help.

Thanks I have fixed it lofty50, but it was my client's problem really...off to re-install his hard-disk and cross my fingers it doesn't get damaged on the way as I rattle along the potted holes of London's Streets. :uhoh:

And then I can turn my attention to my laptop which seems to overheat and shutdowns after10 mins or so :{, subject of another thread no doubt.

Cheers
Charles

Hey hey - BBC are reporting that the suspected author of Sasser has been arrested in Germany.

Now, for a suitable punishment....

http://www.stopstart.freeserve.co.uk/smilie/hanged.gif

Charles

"....this Guy Steve really does know what he is talking about. The FBI use him as do the CIA and he been known to assist the Met Police."

ROFL - Sorry PPRuNe Pop but no one in the real IT community seems to take Steve Gibson very seriously.

But grc.com IS useful and SpinRite was once the marvel of the age (I loved it)

http://news.bbc.co.uk/1/hi/world/europe/3695857.stm gives more information about the arrest of the little $hit who started the sasser worm.

Hope he gets his just desserts!

ROFL - Sorry PPRuNe Pop but no one in the real IT community seems to take Steve Gibson very seriously
Why is that, Mac?

AA

Sasser gone. To improve my knowledge of computers has anybody the time to answer the following qustions:-

Why didn't McFee spot I had the Sasser?

Why did Freeserve seem most vulnerable yet one other server, Supanet, seem immune to the Sasser?

When I found a firewall on the disc that came with the Toshiba laptop MSN 'said 'strongly recommend you do not load- it may not be compatible and could cause instability'. However,I already had a unstable laptop which kept closing down so I loaded it anyway. Eventually, I found a MSN website that told me how to go into the 'options' via Internet connections and there was 'enable firewall' button! Anybody like XELIOS firewall or should I dump and use the MSN/XP one?

As part of the debugging I deleted all cookies and found a MSN patch that would download without having to first download an XP update. At one attempt (of many) to download the update the window said it would take 6913 minutes ! - was this the sasser slowing things down or my rotten telephone/server? ( eventually it took only 2hours 30 minutes!)

Good grief, the guy who wrote Sasser and Netsky has been given a job with SecurePoint - producers of anti-virus programs and firewalls.

Crime pays, evidently.

Link to BBC news story (http://news.bbc.co.uk/1/hi/technology/3677774.stm)

Mind you, he's still awaiting trial, so he might not be around long anough to collect a pension from them.

It's catching on. MyDoom-U and MyDoom-V contain a message saying that "we searching 4 work in AV (anti-virus) industry." :rolleyes:

http://www.sophos.com/images/common/misc/mydoomv.jpg

Charles,

It sounds a lot like negotiating with terrorists. All you do is encourage more to follow.

If they commit a crime like this, they should not be allowed to work in the industry. (Unless self employed that is.)

Take Care,

Richard

quote:ROFL - Sorry PPRuNe Pop but no one in the real IT community seems to take Steve Gibson very seriously


Why is that, Mac? [says Ausatco]

See http://grcsucks.com/

Spinrite was really a clever concept (and AFAIK the first program that allowed you to adjust interleave nondestructively) - hats off for that.

grc.com offers some useful elementary checks (thanks Steve) but being "Gibson safe" doesn't mean you can't be hacked by someone who really knows what they are up to.

Gibson isn't really a security pro.

See http://www.jluster.org/log/d/textual/misc/2002/10/30/shieldsup_analyzed for an analysis of Shields UP! by someone who knows what they are talking about.

Thanks for the links, Mac.

I had a look at both. I thought the first was hoist on its own petard. It accuses Gibson of, among other things, promoting personal views as fact and making unsubstantiated claims and statements. Yet that is just what the site does in reference to Gibson. It attacks the person, not the ideas or claims. I followed quite a few of its plethora of links and found much the same. My impression is that it is pretty much a crusade written by a zealot.

The second link is far more useful and has in fact moderated my enthusiasm for Gibson's writings. Reasonable critiques of claims and statements, backed up with technical explanation. Of course, for those of us who don't know one way or t'other that may not mean much and may be confusing, contradicting things we thought were unarguable fact, but at least it's credible discussion and not just personal vilification.

AA

Ok, so the analysis in the second link is useful to have, and puts the product in perspective. But what we don't get is an alternative product. Anyone got any suggestions?