Warning: Sasser Worm | Ford Explorer - Ford Ranger Forums - Serious Explorations

  • Register Today It's free! This box and some ads will disappear once registered!

Warning: Sasser Worm

bigred93explrer

Well-Known Member
Joined
July 12, 2003
Messages
351
Reaction score
0
City, State
Albuquerque, New Mexico
Year, Model & Trim Level
1993 xlt
What You Should Know About the Sasser Worm
Posted: May 1, 2004

Microsoft teams and law enforcement authorities are investigating reports of a worm, identified as W32.Sasser.worm, that is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue fixed in Microsoft Security Update MS04-011 on April 13, 2004.

How to Tell If Your Computer Is Infected
If your computer is infected with the W32.Sasser.worm, you will see a dialog box with an LSASS.exe error.


Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm, you will see a dialog box with an LSASS.exe error.

Enable the Windows XP Internet Connection Firewall or a third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting, reboot in safe mode.
Press CTRL+ALT+DEL.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Start.
Click Search and then search for and delete the following files:
C:\WINDOWS\avserve.exe
c:\WINDOWS\system32\*_up.exe
Click Start again, click Run, and then type: regedit32
Click OK.
In Registry Editor, locate and delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Got to the Windows Update site, and click the Scan for Updates button.
Download and install the critical updates recommended after the scan.

Preventive Steps for Home Users
If you have a computer with Windows XP and have enabled the Windows XP Firewall, you are protected from attacks by this worm. Also, most third-party firewalls will block this attack.

If you do not have the Windows XP Firewall enabled or a third-party firewall set up, please take the recommended basic precautions when connecting to the Internet to make your personal computer more resistant to this type of attack:

Take 3 Steps to Help Ensure Your PC Is Protected

For the Latest Developments
Microsoft is working closely with the Virus Information Alliance to analyze the malicious code and provide guidance to antivirus companies. Microsoft is committed to helping our customers maintain a safe computing environment. We will update this page with new information and guidance about how to address this issue as it becomes available
 
<

Join the Elite Explorers $20 Gets rid of the ads!

Elite Explorer members see no advertisements, no banner ads, no double underlined links, can add their own profile photo, upload photo attachments in all forums, and Media Gallery, create and save more private conversations, and more. Join Today. Your support is greatly appreciated.




bigred93explrer

Well-Known Member
Joined
July 12, 2003
Messages
351
Reaction score
0
City, State
Albuquerque, New Mexico
Year, Model & Trim Level
1993 xlt
By the way this only affects Windows XP and 2000. The most noticeable symptom is you suddenly wont be able to browse. YOu will get page cannot be displayed.
 
<



SoBeLover

Explorer Babe Moderator
Moderator Emeritus
Elite In Memoriam
Joined
June 17, 2003
Messages
3,021
Reaction score
4
City, State
Middletown, Connecticut
Year, Model & Trim Level
None
Well, since I've had my XP firewall up since I've installed it and I have Zone Alarm, I should be safe
 
<



<



maxx31

Member
Joined
April 23, 2004
Messages
32
Reaction score
0
City, State
MA
Year, Model & Trim Level
97 XLT 4x4
just go to symantec.com

ld50 said:
:) looks like you got it covered, here is a link for removal of the virus as well!

http://www.pchell.com/virus/sasser.shtml
They have a sasser removal tool free for download. It will scan and delete the worm if found. Then apply the microsoft patch, then turn on your firewall!! of course you will need acess to another pc to download the tool in the first place if you have the worm! unless you can download it in under 60secs!!!! he he
 
<



ld50

Oh, the money you`ll blow
Joined
April 16, 2002
Messages
3,333
Reaction score
23
City, State
British Columbia
Year, Model & Trim Level
93 4 dr 4x4 manual XL.
Actually you can stop it from shutting you down by stopping the process, but...
Who hasn`t beaten that worm already?

:)
 
<



maxx31

Member
Joined
April 23, 2004
Messages
32
Reaction score
0
City, State
MA
Year, Model & Trim Level
97 XLT 4x4
actually, not really

ld50 said:
Actually you can stop it from shutting you down by stopping the process, but...
Who hasn`t beaten that worm already?

:)
the lasass.exe is a system process...cannot be shutdown.

the system will power down if you somehow manage to do so- exactly what the worm actually does!
 
<



bigred93explrer

Well-Known Member
Joined
July 12, 2003
Messages
351
Reaction score
0
City, State
Albuquerque, New Mexico
Year, Model & Trim Level
1993 xlt
ld50 said:
Actually you can stop it from shutting you down by stopping the process, but...
Who hasn`t beaten that worm already?

:)

This is a seperate virus than the one that came out in the fall. That one was called the blaster worm, this is the sasser worm. It just came out a couple of weeks ago and it looks like sometimes it goes in a eats up the patches that were installed from the blaster worm and creates the same problem. My job is doing technical support via phone for an internet service and have also been working for microsoft for the past two weeks helping out with their 800 number for this particular issue. So to answer your question of who hasnt beaten this worm..the answer is not very many people since this is a new worm.
 
<



maxx31

Member
Joined
April 23, 2004
Messages
32
Reaction score
0
City, State
MA
Year, Model & Trim Level
97 XLT 4x4
here is the deal...

this worm attacks a windows process(not service). When the process is shutdown, your system reboots. The blaster worm had a similar effect in that the system would restart as well... only here it was attacking the RPC service. Both can be avoided by using a good firewall such as the free zonelabs zonelarm and patching the systems. Symantec has a great tool for free to remove both the blaster and sasser worms. I too am a long-time tech. I support fairly adequate networks..20PCs+. Firewalling is the most critcial security measure. Becuase a firewall blocks/stealths ports- exactly what the worm looks for- specific open ports for the attack. Good Anti-Virus soft is a second line of defense against these virus. Symantec also has a great free online virus scan if you think you may be infected with any other virus. later
 
<



Top