The SASSER Worm/ NT Authority Shutdown

Reply Mon 3 May, 2004 09:44 pm
The SASSER Worm is the latest "Big Deal" out there, and is even more dangerous in that no user action is required to infect a machine; merely being on the internet without the necessary Microsoft Critical Updates and Security Patches, and no properly configured Firewall or AntiVirus is all it takes. While not directly affected by the "NT Authority Shutdown issue, Windows 9x/ME machines may still be infected, passing on the critter to later-version Windows machines, where the worm can and does raise havoc. Currently, there are at least 4 variants of the critter identified, and its rate of spread is accellerating. I have been busy all day clearing it from machines of freinds and clients, and have found it frequently accompanied by a couple other nasties. From the look of things, I'll be pretty busy for the next couple days at least.

Microsoft offers a Free Detection and Removal Tool, and free tools also are available at:

Computer Associates


Network Associates





Trend Micro

A fully updated Operating System along with a properly configured and currently updated Firewall and AntiVirus are absolute necessities, both to protect yourself and to prevent your machine from becoming a distribution point for things such as the Sasser Worm. Be certain your Internet Explorer and your version of Widows are current by frequently visiting Windows Update, and if you do not already do so, equip yourself with both a Firewall and an AntiVirus. Below is an assortment of some which are downloadable and offer free trial periods.

EZ-Armor Full Version 12 Month free trial, includes AntiVirus

F-secure Full Version 6 Month free trial, includes AntiVirus

Panda Full Version 90 Day free trial, includes AntiVirus

Norton/Symantec Individual Full Version 90 Day free trials of Firewall and AntiVirus

Trend Micro Basic limited-feature edition 30 Day free trial, includes AntiVirus

Norman[/] Basic limited-feature edition 30 Day free trial, includes AntiVirus

ZoneAlarm Basic, limited-feature edition is free, subscription-for-fee upgrades offer more features and protection, Firewall only, no AntiVirus included.

Kerio Basic limited-feature edition 30 day free trial, Firewall only, no Antivirus included.

There are plenty of others from which to choose, just choose and use SOMETHING.

A major problem is that an infected machine may not be able to access the internet long enough to make use of the online removal tools. The removal method I've been using is as follows:

From an uninfected machine, go to STINGER, read and understand the instructions (print them out for good measure), then download Stinger to a floppy disk. Also download Trend Micro's "SysClean" Tool; which, at about 3.5MB, will require 3 floppies or some other higher-capacity portable mass storage device ( I've been using a USB Flash Drive, but a CD-R or a Zip Disk could be used as well). Along with the tool, be sure to download the latest data file, as detailed in the accompanying Read Me File

Boot the infected machine into safemode:

Starting Win 9x/ME in Safe Mode[/i][/b]

Starting Win 2K in Safe Mode[/i][/b]

Starting Win XP in Safe Mode[/i][/b]

If the infected machine is running WinME or WinXP, Disable System Restore (Note: you will lose any saved restore points; when the "Fix" process has been completed, re-enable System restore and establish a new restore point).

Load the disk containing Stinger into the infected machine's floppy drive, and copy Stinger to a folder of its own on the infected machine's C: drive. Create a folder on the C: drive by right-clicking "My Computer", then selecting "Open". From within the "My Computer" folder, find the folder or icon which represents your C: drive, right-click on that, and again select "Open". From that folder's toolbar, select "File", the select "Folder". A "New Folder" will appear; name the folder "Stinger", and copy Stinger from the floppy into that folder, eject the floppy, then click on the icon to run Stinger from that location.

When that has completed, do not reboot. Go to Start > Settings > Control Panel, and select "Internet Options". From the "General tab, delete Cookies, and Delete Files, selecting "Delete all offline content" at the prompt. Next click the "Security" tab, and click on each icon there to make sure each zone is set to its "Default Level". Next, click on the "Privacy" tab, and again be sure "Default Level" is selected. Finally, click on the "Advanced" tab, and be sure that is set to "Default Level" as well. Click "Apply", then click OK, but do not reboot at the prompt. Go to Start > My Computer > Drive C: > Windows > Temp, and open the "Temp" folder. From the tool bar, click "Edit", them click "Select All". Click "File", select "Delete", and confirm you wish to delete all files (including any individual files for which you may receive additional confirmation prompts). When that has been accomplished, close out of all windows and from the desktop, right-clickthe Recycle Bin, select-and-confirm "Empty Recycle Bin".

Reboot back into safemode, and create a folder on the C: drive for Trend's removal tool, and copy the files from those floppies, or from whatever media you have them on, into that folder (a Win9x/ME machine probably won't recognize a USB device while in safemode, so you'll likely have to boot normally to access and transfer the files if that's how you have them, then boot into safemode to run the fix). Following the instructions from the "Read Me" file, run Sysclean from that location. When it has completed, once again empty the Windows "Temp" folder, then empty the Recycle Bin.

If the infected machine is running WinXP, enable the built-in Windows XP Firewall[/i][/u].

Reboot normally, connect to the internet, and go immediately to Windows update and obtain all Critical Updates and Security Patches. Finally, go to Microsoft's Free Detection and Removal Tool, run the scan to be sure (and the fix, if needed, but so far I haven't found it necessary to run the fix).

Finally, make sure the machine has current and properly configured Firewall and AntiVirus applications installed and running. And of course, after all that poking and shoving. the machine could use a defrag as well.
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Discussion • Score: 2 • Views: 46,147 • Replies: 16
No top replies

Reply Tue 4 May, 2004 09:50 am
I got it. This sucks. We've hardly even been using the computer lately.
0 Replies
Reply Tue 4 May, 2004 10:26 am

I hope you can be soothing. I've been trying for 72 hours to get through to the Microsoft. The screen announces "this may take a few minutes to download".

Meanwhile, I have XP--homebody version. I have EZ anti-virus--the free version and a firewall from Zone Alarm--also the free version.

Obviously I'm going to keep trying to get through to Microsoft for the patch. Meanwhile, do I worry routinely, or urgently or precious little?

Should I shut down the computer when I'm not on line?

Is there justice in this wicked world? (Optional question).
0 Replies
Reply Tue 4 May, 2004 11:33 am
Noddy, I just downloaded the MS patches no problem. I suspect you may already be infected. Get a copy of Stinger and do as Timber suggests. It will work. The process is fairly simple to eradicate sasser. At least this variant.
0 Replies
Reply Tue 4 May, 2004 11:50 am

My computer shows no signs of turning itself off.
0 Replies
Reply Tue 4 May, 2004 11:55 am
That isn't the only sign. My machine was just really slow, or in some cases, not functioning correctly. It kept getting worse and worse the longer I left it on. I finally gave up and just unplugged the sucker and brought it into work today. McAffee Stinger cleans it up.
0 Replies
Reply Tue 4 May, 2004 11:58 am
Look and see if you have any process running named "avserve.exe" or similar, using Task Manager. Also, any process with the work "boy" in it. If so, you have sasser.
0 Replies
Reply Tue 4 May, 2004 12:18 pm

By going to Timber's link, I reached Microsoft (I'd been using my "shortcut" icon which wasn't well named this week).

Then I downloaded and installed the five critical updates.

I had not noticed any particular slowness or malfunction.

I'm going to assume that all is hunky-dory.
0 Replies
Reply Wed 5 May, 2004 01:30 am
Try this:

0 Replies
satt fs
Reply Wed 5 May, 2004 02:01 am
You can introduce a personal firewall and close unnecessary ports (for example, I usually do not accept inward transmission except through ports 25,110, 443, 22, and 53), of course you must visit the Windows Update site very often.
0 Replies
Reply Wed 5 May, 2004 06:24 am

I double checked with Microsoft and have no problems--having downloaded "all critical updates".
Thanks--and welcome to A2K.


I'm a Luddite and couldn't make sense of your suggestion. As I said earlier, I have a firewall and virus protection. Thanks for the thought.
0 Replies
satt fs
Reply Wed 5 May, 2004 06:31 am
If your firewall is set to the highest security level, almost all ports except those which I mentioned to must be closed.
0 Replies
Reply Wed 5 May, 2004 06:44 am

Sorry, but you're not speaking clearly enough to educate this Global Village Idiot.

Microsoft says the critical updates were installed correctly and I'm protected.

This soothes my mind. Thanks for your input.
0 Replies
Reply Sat 6 Nov, 2004 08:15 pm
Hi timber, long time no speak.... How are ya doing?

My post fits in here -

Late on the 3rd I was attacked by the Sasser.B.... I closed down my internet connection and ran my cheepie AV - which had not stopped the worm, but only told me that I had it and should run the program. That was a surprise.

Next morning - the 4th - my machine told me that I had -
Trojan horse IRC/ Backdoor. Sdbot.67. BV.....
5 mins later it told me I had
I- Worm/ Sasser.E.....

5 mins later Trojan horse Downloader.Istbar.4.BJ
Trojan horse Downloader.Small.13.N

I noticed they were going into temp - so I went there and started to delete them. They kept downloading on me.

Next morning - the 5th - my machine told me I had a worm called the Lovsan.A.....

I ran my AV - but the bugger kept coming back into different files.

I stopped my machine and went to the nearest computer store and purchased Norton 2005 and Spy Sweeper.

That did not close the door on these pests.

I then followed HofT's advice and went Don's site and downloaded CWShredder, Ad-Aware, Spybot, used BitDefender and Trend Micro's services...... That stopped my problems - except for two tiny things - there are two small files on my temp folders that cannot be deleted.
The first one is =
Perflib_Perfdata_588 ---- the name keeps changing slightly.

My system is operating normally now - except for these two files - which I think are malware.

Do you have a suggestion to delete these??

0 Replies
Reply Sat 6 Nov, 2004 08:24 pm
See if you can rename them in safemode, then try to delete them.
0 Replies
Reply Sat 6 Nov, 2004 08:26 pm
Hi danon5,
Did you try deleting those while in safe mode ?

Check Ad-aware and Spybot for updates, Then reboot to safe mode clean out your Temp Folders empty your Recycle Bin as well and then run a scan with Ad-aware and Spybot,

Let us know if that helps you out
0 Replies
Reply Sat 6 Nov, 2004 09:12 pm
I just posted to your thread Don.... Thanks, I'll do what you say.

Thank you timber - I tried to rename them the first day - but, not in safe mode.

This seems to be an historic epidemic.......?

Naaaaah...... Just another sh-theads dream....
0 Replies

Related Topics

Clone of Micosoft Office - Question by Advocate
Do You Turn Off Your Computer at Night? - Discussion by Phoenix32890
The "Death" of the Computer Mouse - Discussion by Phoenix32890
Windows 10... - Discussion by Region Philbis
Surface Pro 3: What do you think? - Question by neologist
Windows 8 tips thread - Discussion by Wilso
GOOGLE CHROME - Question by Setanta
.Net and Firefox... - Discussion by gungasnake
Hacking a computer and remote access - Discussion by trying2learn
  1. Forums
  2. » The SASSER Worm/ NT Authority Shutdown
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.04 seconds on 02/27/2024 at 11:04:23