Hi peeps,

currently installing another Dell (arrgghhh I hear some of you cry!).

Anyway, W32.Sasser.Worm managed to download itself and penetrate the system within 5 seconds of connecting to broadband for the first time, hence before I managed to do an anti-virus updated.

The Symantec website doesn't have much info on it yet as it only came out yesterday but it apparently uses an MS exploit.

I strongly recommend everyone runs an update to their anti-virus as well as the windows update to avoid getting this worm. Activate a firewall too if you can.

Symptoms I have seen so far are that the system slows down big time and eventually reboots automatically (like Blaster did last year). It also disables Norton Anti-Virus and plays havoc to the Internet connection.

Cheers
Charles

Well, amofw, you can come and install a Dell at my place anytime!

What concerns me about some of the latest Viruses (virii?) is their ability to disable Norton AV. I'm not even going to ask how they achieve this, but how do you detect that NAV has been disabled? Presumably it appears to run without detecting anything, but the system just gets slower and s-l-o-w-e-r.

Second question - once you have deduced that NAV has been nobbled, how do you get it back to doing what it should be doing? Clean install?

Feeling a bit sensitive about viruses at the moment - last week was back at a site where I picked up a W32.BleBla worm last year. And one of the students had exactly the same symptoms that I experienced last year (unable to save document on any drive because "Disk Full"). But NAV gives the system a clean bill of health. So I just wonder whether NAV has been nobbled.

Comments anyone?

Well, my NAV is giving a last definition date of yesterday - just checked Windows Update and I have no critical updates outstanding on my XP system (last checked 2 or 3 weeks ago). However Sasser made the BBC news tonight here in the UK.

Thanks fot this post amon. I got the bloody thing yesterday, system was shutting down after a few minutes of connection. Report was saying it was the lsass.exe. But of course thanks to the links on PPRuNe given by other posters i was able to get the info from Symantec and go into the regedit and hey presto! there it was, avserve.exe, just calmly sitting there causing havoc.......

Its now gone, no damage and I installed Zone Alarm Pro yesterday, never heard of it before and I'm really impressed by it, very easy to use and it adapts to my use so it knows what to trust.

I've also downloaded all patches from MS in Windows Update. I'd advise all PPRuNErs to do the same....

Detailed guidance and a fast check to see if you are infected is at http://www.microsoft.com/security/incident/sasser.asp

Didn't get the virus but I can't download the relevant Windows XP Update ( KB835732).Tried several times but it gets so far then stops.The checker mentioned above only works if you have successfuoly installed KB835732.Anybody got any ideas on the installation problem? Thanks.

Hi Soddit,

Go here and install the Belarc Advisor. It will open a page in your browser and tell you (amongst lots of other things) what updates you have installed previously. Check to see if you already this one. There is no way on earth that M$ will have brought out a patch specifically for Sasser this quickly, so it may be that it's trying and failing to overwrite a previously installed update.

If you don't already have the worm, then an update for your AV will be enough to protect you until M$ sort this patch out. A quick trip to Googleland shows that it can cause more problems than it fixes.. just one being 99% CPU activity, and the recommendation to uninstall it anyway..

Hope that helps..

Cheers

Liam

Liam..

That is very kind.Complete answer to my question.Plus a very useful bit of software.Thank you so much .Soddit.

You're welcome..

E-Liam,

Microsoft issued the fix for this worm some two weeks ago, so I can't see why you think they're no on the ball in this case?

Feline,

when I discovered sasser on this client's PC I did a ctrL+alt+delete and terminated anything that looking suspicious. Also did ran "msconfig.exe" and stopped various suspect application from starting - including avserve.exe. Then rebooted and ran NAV update and full scan as well as Windows update. Also checked and removed the avserver.exe entry in the registry. Activating the firewall might have helped too.

Norton was shown as being disabled 'cause it had a cross on the tray icon and if you hovered over it the icon dissapeared. No exactly black magic innit??!

Cheers
Charles

Yeah, well - If I saw a blerry great cross over the NAV icon in the system tray, then even I might (dimly) realise that something was amiss ... But then I was labouring under the (erroneous) impression that NAV could get nobbled without any such overt sign - weren't I?

I do remain a tad suspicious of NAV and its abilities to pick up viruses as they reach my system - ran a complete system check today (which took longer than I care to think about) and it found 13 viruses. (None of them were Sasser I might add).

How come, I ask myself, did these get there in the first place if the virus scanner was permanently switched on? Maybe a couple of holes in the magic robe?

And you still haven't answered my question as to how you realised you copped Sasser in the first place - was it the fact that NAV had been visibly nobbled, or was it because the system suddenly started behaving like a crippled donkey, or did you have an amazing flash of inspiration that told you to run msconfig, and/or Ctrl-Alt-Del and go look for avserver.exe?

Please amofw - not being sarcastic, just interested to know because I suspect myself of extreme paranoia when my system runs a bit slow and find myself wondering whether NAV isn't jusy a wee bit behind the bleeding edge on occasion ...

I'm really beginning to think in terms of installing a basic entry level system as my interface to the outside world, on the basis that if I have the slightest suspicion that something untoward is happening I will just restore it from a (known good) mirror image and carry on my happy way ...

Hi Amofw,

I just re-read my post..

It could be miscontrued I suppose, but it does say what I wanted it to say.. in that the fix wasn't specifically written to combat the Sasser worm, but to plug yet another hole in the sieve. Sasser exploits this after the fact. I was pointing out that the patch may already have been installed as it, by the very nature of M$s updates, would not have been written in the last two days and... it wasn't.

Agreed it could have been worded better, so if there was any mis-understanding, then I apologise...

Cheers

Liam

Well, my system started to shut down on Saturday and the report stated it was the lsass.exe file. When it wasn't shutting down and with the browser and e-mail closed, the system was sending and receiving data on its own accord! (I have dial up and could see the icon) my system also slowed right down....

Luckily I could stay connected long enough to go to the Symantec website and they gave me the easy to follow steps and I went to regedit and deleted avserve.exe and then yesterday ran the fix and it deleted the virus.

There was no indication on my NAV that it was switched off or there was anything wrong. And I had all the latest updates....

Thanks for the Belarc tip E-Liam

Mac

Gotcha e-liam - M$ writes the fix, then comes Mr Cretin and writes the worm as he's clever enough to know that 99% of users still don't bother updating windoze - I take it that's what you meant.

Feline, I don't recall the exact sequence of events as I was sitting there sweating with the customer breathing down my neck "is everything allright every 5 mins", "fine don't worry, go make another cuppa tea.."... BUT, I do recall the PC slowing down to a point I thought he might have bought a Celeron processor but my suspicions were awoken when I saw it was a P4 3.0, and that it seemed to stall quite a lot. I managed to run the NAV update and ran a full system scan, and hey presto Sasser came out. The rest as they say is history.

By the way, when I said it ain't black magic, I was talking about my own skills, I'm no Harry Potter.

Charles

ps. you might get viruses slipping though if they creep into your system in between updates - in the last few days my NAV has updated 3-4 times, might want to check that yours is set to auto-update too.

Do remember that Norton releases AV updates as soon as they are available - but that some may require manual download. An example is the latest fix for Sasser D which was released only a few hours ago....

See http://www.sarc.com/avcenter/venc/da....sasser.d.html for more information.

Liam, thanks for the Belarc link - excellent tool.

Amofw, thanks you for your link to the M$ fix for the worm. My son has a non-updated computer (XP Home), but was smart enough not to log on when he heard that the worm was in the wild. I downloaded the M$ fix to a memory stick, installed it on his machine and now it's on-line catching up on his updates. Only 3 hours to go at 40k

AA

I have recently moved house (I live in Philippines), and only on Friday did I manage to get phone line and ADSL connected, and that is when my Norton Antivirus went wrong, so it may or may not be to do with the Sasser worm.

Norton Auto Protect was somehow disabled as well as email screening, no way could I enable them, so eventually uninstalled and reinstalled, so now of course my virus definitions are hopelessly out of date, but live update won't work and I cannot even connect to Symantec to do a manual download. This leaves me somewhat vulnerable. I have tried numerous times.

I have downloaded theMS KB 835732 and the detection tool and I have ZoneAlarm, so it could be worse. Can anyone give me a clue as to what may be wrong? Is the Symantec site down?

Thanks, and the Belarc Advisor is GOOD.

lofty50,

one of the obvious clues is that you'll have avserve running in the background - if you do a ctrl+alt+del you'll see it the list of running processes and you should be able to kill it there, albeit temporarily.

You can also, depending on your OS, run msconfig.exe
(start--->run) and disable avserve.exe from the startup list. In this case you'll need to reboot and try liveupdate once more.

And download the M$ patch as mentioned in one of my previous posts.

hth
Charles

Charles

Thanks for your reply, but no avserve showing anywhere. I can see isass.exe mentioned by a previous poster, and also Navapsvc.exe which sounds somewhat similar to avserve?

It has occured to me that as I have reinstalled NAV I need to reregister, I doubt it but I will try that anyway.

The odd thing is that I cannot get connected to the Symantec website either, in addition to not being able to run Live update. As I mentioned I have the MS patch already.