If you havn't already got the Sasser worm you will unless you get a patch.

The Sasser worm is not spread by email and an infected machine can scan up to 200 other machines for weaknesses per second. The worm has so far been found to be harmless (i.e. it won't wipe your HD) but it will continually restart your computer, sometimes so quickly that you won't be able to download the fix.

If it does re-boot to quickly for you to get the patch, click on START, then RUN and type command.com .when the command prompt appears type shutdown -a this will abort the shutdown.

Microsoft Windows update (http://windowsupdate.microsoft.com)

Edit: Fixed the link. :ninja:

A friend got this on Sunday within about 2 mins of booting his pc, before he had chance to update his pc. It only seems to reboot your machine after you've been on the internet for about 1 minute (so it has time to replicate itself).

It is actually very simple to kill it. All you have to do is kill off processes called avserve(2).exe or *****_up.exe (where ***** is 4 or 5 numbers) before you attempt to connect to the internet. You can then download the updates and cleaners and you should be safe again.

But it all comes down to the old question - why does Microsoft directory services (port 445) need internet access? Microssoft should be made to answer this question.

A router with ports 1000 < * will block most worm. On second thought it better to open oprts that you only use + software firewall.

Note: the link above does not contain any info on this worm and should be removed

Microsoft teams have confirmed that the Sasser worm (W32.Sasser.A and its variants) is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13 in conjunction with Microsoft Security Bulletin MS04-011.



information on this worm can be found here

http://www.microsoft.com/security/incident/sasser.asp

or here

http://www.symantec.com/avcenter/venc/data...asser.worm.html (http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html)

Removal tools here

http://securityresponse.symantec.com/avcen...moval.tool.html (http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html)

Stinger (http://vil.nai.com/vil/stinger/) is another free removal tool. It includes all current variants.

AlexH typoed when he posted the link. He missed a C. :rolleyes: He wasn&#39;t trying to be malicious, he&#39;s trying to help people who may not have known about it.

:ninja:

Hehe, yeah&#33; Like Westpac Banking Corperation here in Australia, who had their entire network crash yesterday...

Thanks for the extra info delphin.

Microsoft aanounced the problem and released the fix on April 13.

They then re-issued the warning on April 28, and the Sasser worm was released into the wild on April 29. Anyone else think this sounds suspicious?

The worm exploits a hole in Local Security Authority Subsystem Service. Why does this service have ANY access to the internet?

Quite frankly, the whole thing stinks.

@ lynx lsass is used by internet explorer, thats why it can be remotely exploited.

the original sasser worm was meant to be very poorly written. Even if it found a vulnerable machine it was not always able to infect the machine. these new variants are meant to be alot more efficient.

a fine example of why it pays sometimes to install Windows patches without being prompted by a major virus/worm threat like this one. if you make a habit of updating Windows every several days, you&#39;d have gotten the anti-Sasser fix before the variants were even released.

Originally posted by lynx@5 May 2004 - 09:58
Microsoft aanounced the problem and released the fix on April 13.

They then re-issued the warning on April 28, and the Sasser worm was released into the wild on April 29. Anyone else think this sounds suspicious?

The worm exploits a hole in Local Security Authority Subsystem Service. Why does this service have ANY access to the internet?

Quite frankly, the whole thing stinks.
Im sure that microsoft would never dream of releasing a worm that will affect every windows operating system exceptthose updated, which means knocking most illegal copies of Windows XP offline.....


...... Im sure it was pure co-incidence that they got the fix out just before the worm was released, and told everyone to update.


:unsure: :helpsmile:

Opps I got this one and twigged onto it within an hour.
My bro works for a software delvopment team and it took there "specilists" 2 days to come up with a solution when my brother told them the remedy the same day.
Freaking M&#036; and their damn vunerable closed source software. Bloody RPC and DCOM. Damn patches realsed to damn late. Damn script kiddies lets see a real chllenge that makes new virus definitions and patches worhless. Give us a good polymorph to play with.

Im sure that microsoft would never dream of releasing a worm that will affect every windows operating system exceptthose updated, which means knocking most illegal copies of Windows XP offline.....
Huh?
That never seemed to stop me from updating ( not that I would do that anymore, of course and I am clearly uberl33t...whatever the hell that means).


...... Im sure it was pure co-incidence that they got the fix out just before the worm was released, and told everyone to update
Go ahead, admit it...the worm was released by a man on the grassy knoll, right?

I updated my system a few days ago after seeing a post on this forum about new patches release by MS. I haven&#39;t come into contact with the virus but have heard its affected a few companies around the world.

Originally posted by namzuf9@6 May 2004 - 00:57
Opps I got this one and twigged onto it within an hour.
My bro works for a software delvopment team and it took there "specilists" 2 days to come up with a solution when my brother told them the remedy the same day.
Freaking M&#036; and their damn vunerable closed source software. Bloody RPC and DCOM. Damn patches realsed to damn late. Damn script kiddies lets see a real chllenge that makes new virus definitions and patches worhless. Give us a good polymorph to play with.
This is the best thing i have found to get rid of the m&#036; stuff

gibson research , is m&#036; anti devil

3 nice tools to stop dcom , upnp and windows messenger

http://www.grc.com/default.htm

Originally posted by 4play@5 May 2004 - 14:03
@ lynx lsass is used by internet explorer, thats why it can be remotely exploited.
Not so.

If you&#39;ve got an unpatched lsass.exe (and no firewall) you can get infected without running internet explorer. That happened to my friend, he went online to get his mail (he uses Eudora before anyone comments on links with Outlook Express).

IE may use lsass, but I can see NO need for lsass to have internet access. Client for Microsoft Networks doesn&#39;t usually get internet access because it isn&#39;t needed and would be dangerous; the same should be true for lsass.

Lsass is part of windows directory services and as such uses port 445. It generates the process which performs user validation for the Winlogon service - do you really think that&#39;s a good service to have available from the internet?

Edit:
Microsoft aanounced the problem and released the fix on April 13.

They then re-issued the warning on April 28, and the Sasser worm was released into the wild on April 29. Anyone else think this sounds suspicious?I was not suggesting that Microsoft released the Sasser worm, merely that they knew of it&#39;s existence before it was loose. If that&#39;s the case they could have given much more advance warning about the worm.

Originally posted by clocker@6 May 2004 - 01:49

Im sure that microsoft would never dream of releasing a worm that will affect every windows operating system exceptthose updated, which means knocking most illegal copies of Windows XP offline.....
Huh?
That never seemed to stop me from updating ( not that I would do that anymore, of course and I am clearly uberl33t...whatever the hell that means).


...... Im sure it was pure co-incidence that they got the fix out just before the worm was released, and told everyone to update
Go ahead, admit it...the worm was released by a man on the grassy knoll, right?
If your serial number was from a "list", then your very lucky if you can use update, if from a keygen then their shouldnt be any problems...which is why i said "most" :P


Now that you mention it, you often get worms in Grassy Knolls.. ;)

I had this the other day. I noticed my folding project hadn&#39;t moved all day and checked the task manager. I found between 6 and 10 instances of it running at one time(kept fluctuating) which was strange because it seems I read only 1 could run at a time.

It did not shutdown or restart my computer either even though I keep reading that this is what it does. I searched for the process and came up with this and was quite impressed that I had caught something that was reported 2 days before :P Usually I don&#39;t get these until they have been out a while.

I also get something yesterday called rasoutou(sp?) and came up with conflicting reports as to if it was a virus or not. Some sites say it is a valid windows process(some kind of dialer) and others say it is a virus. I have never seen it before and it was using 90% of my processor. Strange thing is, is that I am completely up to date with everything and this was an old (6 months or more) problem.

Also strange that I got the sasser because windows update keeps saying I don&#39;t need anything :blink:

TD

Well, it is Microsoft.

I wouldnt be surprised if their "fix" to stop the new sassor worm, actually invites the old one onto your system ;)

:lol: :lol:

Today I keep getting attempts to infect my computer with this virus. I caught it 3 times in about an hour and again later on during the day. I&#39;m running Norton Internet Security so luckily it stops it before it gets to me. My question is I have the jerks ISP,IP,City,State,and Postal Zip code but what can I do with this information? I&#39;m not into all the hacking stuff so I wouldn&#39;t know what to do with the IP and stuff like that. Any suggestions?

i would send a email to abuse@his isp stating the time and ip of the person who is infected.

hopefully they will take some action like call him up and tell him he is infected and he should try cleaning up his system.

apart from that there is very little you can do.

Which jerk? If it&#39;s the owner of the computer thats trying to send it to you, they probably don&#39;t know they&#39;ve got it.

If it&#39;s the person who wrote it, you can report them to me and you&#39;ll never have any problems with them again... :gunsmile:

Well hell what should I do? If its just some poor sap who got infected themselves the last thing they need is their ISP on their ass. :helpsmile:

the poor sucker might have noticed he is infected by now. especailly since the worm crashes your computer. :lol:

just ignore it and hide behind your patched and firewalled machine :P

I haven&#39;t really kept up with all the latest fads - does it affect Windows 3.1? :blink: