Sasser Worm - Highly Infectious

**Alex H** · 05-05-2004, 01:29 AM

If you havn't already got the Sasser worm you will unless you get a patch.

The Sasser worm is not spread by email and an infected machine can scan up to 200 other machines for weaknesses per second. The worm has so far been found to be harmless (i.e. it won't wipe your HD) but it will continually restart your computer, sometimes so quickly that you won't be able to download the fix.

If it does re-boot to quickly for you to get the patch, click on START, then RUN and type command.com .when the command prompt appears type shutdown -a this will abort the shutdown.

Microsoft Windows update

Edit: Fixed the link.

**lynx** · 05-05-2004, 02:41 AM

A friend got this on Sunday within about 2 mins of booting his pc, before he had chance to update his pc. It only seems to reboot your machine after you've been on the internet for about 1 minute (so it has time to replicate itself).

It is actually very simple to kill it. All you have to do is kill off processes called avserve(2).exe or *****_up.exe (where ***** is 4 or 5 numbers) before you attempt to connect to the internet. You can then download the updates and cleaners and you should be safe again.

But it all comes down to the old question - why does Microsoft directory services (port 445) need internet access? Microssoft should be made to answer this question.

**Ariel_001** · 05-05-2004, 02:52 AM

A router with ports 1000 < * will block most worm. On second thought it better to open oprts that you only use + software firewall.

**delphin460** · 05-05-2004, 03:04 AM

Note: the link above does not contain any info on this worm and should be removed

Microsoft teams have confirmed that the Sasser worm (W32.Sasser.A and its variants) is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13 in conjunction with Microsoft Security Bulletin MS04-011.

information on this worm can be found here

http://www.microsoft.com/security/incident/sasser.asp

or here

http://www.symantec.com/avcenter/venc/data...asser.worm.html

Removal tools here

http://securityresponse.symantec.com/avcen...moval.tool.html

**Jg427** · 05-05-2004, 03:44 AM

Stinger is another free removal tool. It includes all current variants.

**MagicNakor** · 05-05-2004, 03:44 AM

AlexH typoed when he posted the link. He missed a C.

He wasn't trying to be malicious, he's trying to help people who may not have known about it.

**Alex H** · 05-05-2004, 04:47 AM

Hehe, yeah! Like Westpac Banking Corperation here in Australia, who had their entire network crash yesterday...

Thanks for the extra info delphin.

**lynx** · 05-05-2004, 09:50 AM

Microsoft aanounced the problem and released the fix on April 13.

They then re-issued the warning on April 28, and the Sasser worm was released into the wild on April 29. Anyone else think this sounds suspicious?

The worm exploits a hole in Local Security Authority Subsystem Service. Why does this service have ANY access to the internet?

Quite frankly, the whole thing stinks.

**4play** · 05-05-2004, 01:55 PM

@ lynx lsass is used by internet explorer, thats why it can be remotely exploited.

the original sasser worm was meant to be very poorly written. Even if it found a vulnerable machine it was not always able to infect the machine. these new variants are meant to be alot more efficient.

**3RA1N1AC** · 05-05-2004, 11:23 PM

a fine example of why it pays sometimes to install Windows patches without being prompted by a major virus/worm threat like this one. if you make a habit of updating Windows every several days, you'd have gotten the anti-Sasser fix before the variants were even released.

Thread: Sasser Worm - Highly Infectious

Thread Tools

Bookmarks

Bookmarks

Posting Permissions