Sasser Internet Worm

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Here's a little more info on the virus and its varients:

http://www.microsoft.com/security/incident/sasser.asp

There is also a on-line scanner for the virus and if your unlucky enough to have been infected you can remove the virus using McAfee AVERT Stinger

 

This one serious screwed up my morning. HP was hit pretty hard. Fortunately/unfortunately, they also enabled a process on Saturday that automatically scans any PC on the network...those without the right patches are taken off the network. All my users plus the lab machines comply with the internal security policies so they're automatically protected. Unfortunately, we were given a guest machine that wasn't protected.

I had to manually download the patches onto a thumb drive and install them on the guest machine (HP pavilion). So far so good. I found a process that was sucking up a lot of CPU cycles. Looked like some sort of adware. I killed the process and the machine runs much faster now. The on board Norton Anti-virus 2004's subscription had expired so I used Trend Micro's site to scan the machine.

25 files infected with WORM SASSER.C and they're non-cleanable. I'm a little nervous about just deleting them since they don't seem to be doing any observable harm. All of the infected files are in the C:\WINDOWS\System32 folder. I need this machine to be up and running in the lab in four hours. Should I risk it?

 

Update: Stinger.exe by McAfee has been updated to include detection/removal of Sasser. I'm running it now. Any other comments, suggestions, or opinions are of course quite welcome. I'll let you know how stinger turns out.

 

Another update: Stinger finished. Found the 25 infected files and automatically deleted them. I'm running stinger again just to be on the safe side. Looks good thus far.

 

Cheers for the nod, Guys - will go grab Stinger now. I see AVG has just dome it's near-daily update, so hopefully that will include the patch.

I expect I'll be in for one or two more calls than usual this week at work, then ? :roll:

 

The patch(es) you'll need can be found at Windows Update. Sasser takes advantage of some recently discovered holes and MS released the patches for them in the past few weeks. If you're machine is up to date, using stinger should do it.

 

I have already installed the recent MS cumulative Security Update that we discussed recently - interesting to find out if that includes the patch for the exploit.

I'll still be running a Stinger check shortly anyway, and will read up on Sophos - I really do think that work is going to be hellish for the next wee while.

The Guys that were there last year (before I was) recall the when MSBlast kicked in on the scene, it was just like Armageddon

Oh well, welcome to Tech Support......

 

I just need to know if you mean the free CD sent out by MS or the most recent significant download of the past couple of weeks. The download would be the correct answer in this case for closing the offending port.

 

Thanks Trip - I was indeed referring to the free MS CD of late, so I guess the answer is "no" to my question.

OK - will get onto MS Update now. Just finished bringing down Stinger - gonna run that first.

 

No worries, Gav. The updates on the disk are several months old. MS creates new releases every Tuesday (not that there are actually new ones each week...that' just the day they've set aside to dole out what they may have).

 

what would happen if you had say, 100 machines infected and not under such a security policy? wouldnt it make more sense to move infected machines off the main network to a segregated network with a SUS server/AV server so that all machines could be updated to meet security policy at greater speed/less administrative overhead?

well not like you can question HPs policies hehe just an observation hehe :P

 

I'd just like to add a quick thanks to AJ for bringing this to us promptly and with great info

Action like that, and the subsequent discussion and learning are what I love about this place.

Cheers Guys.

 

Message from the servers:

 

Been looking around a bit on the net for info on it, but can't actually find details of signs of it's activity.

Does anyone actually know how it manifests itself ?

Interestingly, late on my shift on Sat, I had a call from a user saying he was getting disconnected almost immediately after connecting to the Internet (10-60 secs) . So the light bulb comes on - - Blaster, I tell him.

He reported aWindows error referencing "lsass.exe". Strange, I thought - Blaster was always RPC. Now it all seems to fall into place. Maybe .....

 

Nope. All the classic signs of Sasser. Probably easiest to give you the link to the SS thread here. Also, another link here has the relevant screen shots if you'll scroll down.

 

Just want to say (shout) that "I LOVE LINUX" more and more every day.

 

However, I don't support Linux so we make do with what we have <sigh>.

 

Thanks once again, Trip- I'm forewarned and forearmed before work tomorrow - oooohh, that's gonna be fun

@nugg - fair point, but that aint gonna solve the probs of 99% of workplaces unfortunately, Mate