Page 1 of 2 12 LastLast
Results 1 to 20 of 24

Thread: Sasser Worm

  1. #1

    Default Sasser Worm

    http://zdnet.com.com/2100-1105-5203764.html
    http://securityresponse.symantec.com...sser.worm.html
    http://www.microsoft.com/security/incident/sasser.asp

    nasty worm on the loose... prevents you from shutting down the system and getting on the internet.
    Last edited by karwing; 2nd May 2004 at 12:12 AM.

  2. #2

    Default

    Just got SASSER this morning after I uninstalled my Norton. A dialog box read "NT Authority" followed by some "lsass.exe" thingy. To make things worse, I also got the GAOBOT. Gosh, the PC is so vulnerable without an antivirus software. Sasser wasn't so bad but Gaobot prevented me from accessing the Symantec and other popular antivirus websites. Once I managed to manually remove the obstacles and update NAV, NAV cleared them all. Thank goodness.

  3. #3

    Default

    Quote Originally Posted by Barrios
    Just got SASSER this morning after I uninstalled my Norton. A dialog box read "NT Authority" followed by some "lsass.exe" thingy. To make things worse, I also got the GAOBOT. Gosh, the PC is so vulnerable without an antivirus software. Sasser wasn't so bad but Gaobot prevented me from accessing the Symantec and other popular antivirus websites. Once I managed to manually remove the obstacles and update NAV, NAV cleared them all. Thank goodness.
    yup got it too... sigh

    seems that it's so new that there are so many variant to it. must get the latest updated the virus def from norton, the most recent one (dated 29 Apr) won't help in detecting Sasser.

  4. #4

    Default

    Quote Originally Posted by karwing
    yup got it too... sigh

    seems that it's so new that there are so many variant to it. must get the latest updated the virus def from norton, the most recent one (dated 29 Apr) won't help in detecting Sasser.
    u need version 5/1/2004 rev.23 of the virus definition file to get rid of the worm..

    i got the worm too!

  5. #5

    Default

    Quote Originally Posted by Barrios
    Just got SASSER this morning after I uninstalled my Norton. A dialog box read "NT Authority" followed by some "lsass.exe" thingy. To make things worse, I also got the GAOBOT. Gosh, the PC is so vulnerable without an antivirus software. Sasser wasn't so bad but Gaobot prevented me from accessing the Symantec and other popular antivirus websites. Once I managed to manually remove the obstacles and update NAV, NAV cleared them all. Thank goodness.
    Hey everyone,
    I kana GAOBOT like a week ago and it works like the same as the Blaster worm. It will pop up this small window with this 1 minute countdown timer thingy. However, I have tried all kinds of ways to remove the stupid worm but without any success.

    Microsoft emailed me to update the latest service pack because my laptop is vulnerable. I tried but the countdown timer thing will pop up before I can finish downloading. And worst, I'm using dial-up so downloading can take up all day.

    I downloaded the virus removal tool from the Symantec website to remove the GAOBOT worm. Run for like so many times already but still cannot get rid of the worm.

    I think from the description above, I think I have also kana the SASSER virus.

    Can some kind soul out there help me out on how to get the viruses and worms out of my laptop? It's driving me crazy!!

    Desperate,
    -Michelle-

    P.S - I am using the Norton 2002 version.

  6. #6
    Member
    Join Date
    May 2003
    Location
    Singapore
    Posts
    42

    Default

    Quote Originally Posted by mich_2103
    Hey everyone,
    Microsoft emailed me to update the latest service pack because my laptop is vulnerable. I tried but the countdown timer thing will pop up before I can finish downloading. And worst, I'm using dial-up so downloading can take up all day.
    Microsoft will never email anyone to with an update patch. That was a virus/worm at work, masquerading as Microsoft, to get unknowing users to click on the link/attachment to activate it.

  7. #7
    Member
    Join Date
    Mar 2004
    Location
    all around the world
    Posts
    507

    Default

    Quote Originally Posted by mich_2103
    Hey everyone,
    I kana GAOBOT like a week ago and it works like the same as the Blaster worm. It will pop up this small window with this 1 minute countdown timer thingy. However, I have tried all kinds of ways to remove the stupid worm but without any success.

    Microsoft emailed me to update the latest service pack because my laptop is vulnerable. I tried but the countdown timer thing will pop up before I can finish downloading. And worst, I'm using dial-up so downloading can take up all day.

    I downloaded the virus removal tool from the Symantec website to remove the GAOBOT worm. Run for like so many times already but still cannot get rid of the worm.

    I think from the description above, I think I have also kana the SASSER virus.

    Can some kind soul out there help me out on how to get the viruses and worms out of my laptop? It's driving me crazy!!

    Desperate,
    -Michelle-

    P.S - I am using the Norton 2002 version.
    Hi Michelle,

    you can try doing this:

    Use someone's comp to go onto the internet. Go to Symantec's website and download the virus removal tool for both GAOBOT & SASSER.

    Save them in a diskette and then run them on your comp.

    It should work.

    PM me if you need any help.

    Regards
    meepokman

  8. #8

    Default

    Quote Originally Posted by meepokman
    Hi Michelle,

    you can try doing this:

    Use someone's comp to go onto the internet. Go to Symantec's website and download the virus removal tool for both GAOBOT & SASSER.

    Save them in a diskette and then run them on your comp.

    It should work.

    PM me if you need any help.

    Regards
    meepokman
    Hi meepokman,
    I have downloaded the virus removal tool from Symantec's website for both GAOBOT and SASSER to my laptop. I tried running them on my laptop but they just told me they did not find any worms/viruses in my laptop.

    Funny thing is the moment I activate my internet connection after I restart my computer, this stupid countdown timer thingy pops up again. So obviously, there is still a virus/worm inside my laptop.

    ARRGHH!!!!!!

    Pissed off,
    -Michelle-

  9. #9

    Default

    Quote Originally Posted by A70
    Microsoft will never email anyone to with an update patch. That was a virus/worm at work, masquerading as Microsoft, to get unknowing users to click on the link/attachment to activate it.
    Hi,
    I didn't exactly receive an email from Microsoft. It's just the message after I finished running the virus removal tool from Symantec for the GAOBOT worm. They told me my system is vulnerable and the GAOBOT virus can come in different variants, especially for this RPC thingy, and gave me the Microsoft website and asked me to download the service pack from there.

    Sian man... This stupid worm thingy...

    Irritated,
    -Michelle-

  10. #10
    Senior Member
    Join Date
    May 2004
    Location
    newbie land
    Posts
    1,971

    Default

    Quote Originally Posted by mich_2103
    Hi meepokman,
    I have downloaded the virus removal tool from Symantec's website for both GAOBOT and SASSER to my laptop. I tried running them on my laptop but they just told me they did not find any worms/viruses in my laptop.

    Funny thing is the moment I activate my internet connection after I restart my computer, this stupid countdown timer thingy pops up again. So obviously, there is still a virus/worm inside my laptop.

    ARRGHH!!!!!!

    Pissed off,
    -Michelle-
    Hi mich_2103,

    Are u using XP or WinME? How does the countdown screen look like , say the type of message appear in the dialog box

    Maybe you could do a free full system scan from

    http://us.mcafee.com/root/mfs/default.asp?cid=9914

    once you find out the correct virus name then get the correct tools to kill it
    Last edited by DarkForce; 2nd May 2004 at 04:53 PM.

  11. #11

    Default

    Quote Originally Posted by mich_2103
    Hi,
    I didn't exactly receive an email from Microsoft. It's just the message after I finished running the virus removal tool from Symantec for the GAOBOT worm. They told me my system is vulnerable and the GAOBOT virus can come in different variants, especially for this RPC thingy, and gave me the Microsoft website and asked me to download the service pack from there.

    Sian man... This stupid worm thingy...

    Irritated,
    -Michelle-
    from http://securityresponse.symantec.com...sser.worm.html ,

    Removal using the W32.Sasser Removal Tool
    Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.Worm. This is the easiest way to remove this threat and should be tried first.

    Manual Removal
    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


    1. End the malicious process.
    2. Disable System Restore (Windows Me/XP).
    3. Update the virus definitions.
    4. Run a full system scan and delete all the files detected as W32.Sasser.Worm.
    5. Reverse the change made to the registry.

  12. #12

    Default

    Quote Originally Posted by DarkForce
    Hi mich_2103,

    Are u using XP or WinME? How does the countdown screen look like , say the type of message appear in the dialog box

    Maybe you could do a free full system scan from

    http://us.mcafee.com/root/mfs/default.asp?cid=9914

    once you find out the correct virus name then get the correct tools to kill it
    Hi DarkForce,
    Like what Barrios described, it said something about "NT Authority" and something "Isass.exe" thingy. Then it has this 1 minute timer thingy that starts counting down. I believe this is the work by the SASSER virus.

    But it can also come in other variants for the pop-up timer. There's also another kind that tells me something about my RPC in the dialog box. I believe this is the GAOBOT worm's at work.

    Sadly, my Norton can detect them, but cannot repair them. Now even worse - can't even quarantine them so I have to resort into deleting the affected files.

    Sigh... any IT/computer gurus out there have any other alternative to rid this stupid thing?

    Desperate,
    -Michelle-

  13. #13

    Default

    Quote Originally Posted by mich_2103
    Hi DarkForce,
    Like what Barrios described, it said something about "NT Authority" and something "Isass.exe" thingy. Then it has this 1 minute timer thingy that starts counting down. I believe this is the work by the SASSER virus.

    But it can also come in other variants for the pop-up timer. There's also another kind that tells me something about my RPC in the dialog box. I believe this is the GAOBOT worm's at work.

    Sadly, my Norton can detect them, but cannot repair them. Now even worse - can't even quarantine them so I have to resort into deleting the affected files.

    Sigh... any IT/computer gurus out there have any other alternative to rid this stupid thing?

    Desperate,
    -Michelle-
    for your Gaobot virus,

    Removal using the Removal Tool
    Symantec Security Response has developed a removal tool to clean the infections of W32.HLLW.Gaobot.ADX. This is the preferred method in most cases.


    Manual Removal
    Perform a manual removal if you cannot obtain the tool.

    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


    1. Disable System Restore (Windows Me/XP).
    2. Restart the computer in Safe mode or VGA mode.
    3. Reverse the changes made to the registry.
    4. Update the virus definitions.
    5. Run a full system scan and delete all the files detected as W32.Gaobot.ADX.

  14. #14
    Member
    Join Date
    Feb 2003
    Location
    Bedok, Singapore
    Posts
    687

    Default

    Quote Originally Posted by mich_2103
    Hi meepokman,
    I have downloaded the virus removal tool from Symantec's website for both GAOBOT and SASSER to my laptop. I tried running them on my laptop but they just told me they did not find any worms/viruses in my laptop.

    Funny thing is the moment I activate my internet connection after I restart my computer, this stupid countdown timer thingy pops up again. So obviously, there is still a virus/worm inside my laptop.

    ARRGHH!!!!!!

    Pissed off,
    -Michelle-
    Disable your System Restore and boot into safe mode before scanning.

  15. #15

    Default

    Dont forget that the source of your infection is that you probably dont have the Microsoft security patch MS04-11, 12 and 14. The virus will reinfect your system even if you kill it without patching the hole in Win 2K, XP etc. Easiest way to get the MS patches is to visit windowsupdate site and download them.

  16. #16

    Default

    It had been an eventful Sunday for me. Struck by variants of Gaobot twice in one day and Sasser too How come didn't strike 4-D I managed to get rid of them all and get my PC working normally again but not forgetting to update my security updates this time around. My experience was that the virus (don't know which one) not only shut down my NAV but also stopped me from going online too. Damn it big time! Lucky for me I have another good old Pentium 2 beside my P4 and my P2 actually saved the day.

    What I did was I downloaded 3 removal tools from Symantec using my P2 - FxGaobot, FxGaobotUJ and FxSasser - and ran them on my P4. Sasser was immediately removed but Gaobot was not detected at all (probably of the variants). But I still couldn't enable my NAV 2003 program. Next, I re-booted my PC in "safe mode" and ran the NAV, thank goodness it worked. This time it managed to detect 2 files but deleted only 1 and quarantined 1 (the "hosts" file). Feeling uneasy with the quarantine thingy, I manually deleted the "hosts" file and patch it back using the "hosts" file copied from my P2. (The "hosts" file is responsible for getting online, without it no can do). Re-booted my P4 in normal mode....wa lah....I'm online.

  17. #17

    Default

    How to disable System Restore?

    Also, since my system already kenna infected, how to go about installing antivirus? (Just delete the software cos it kept prompting me to renew).

    Got no floppy disk, only CD ROM. Do I've to create a bootable CD first?

    I think i've enabled firewall but now I can't even connect to the net.

    Help....!

  18. #18
    Member
    Join Date
    Apr 2002
    Location
    Central
    Posts
    761

    Default damn

    Damn!!!,,,I Gana also..

    and i notice i got it when i was doing a windows update...read from some where that the virus attacks the windows update patches for itself...so how to patch when the patch also gana virus.....?????

  19. #19

    Default

    Quote Originally Posted by kenghor
    How to disable System Restore?

    Also, since my system already kenna infected, how to go about installing antivirus? (Just delete the software cos it kept prompting me to renew).

    Got no floppy disk, only CD ROM. Do I've to create a bootable CD first?

    I think i've enabled firewall but now I can't even connect to the net.

    Help....!
    If yours is XP, cannot do any installation in Safe Mode. Else, go to Safe Mode and do it. Internet access is blocked by Gaobot cos it has changed your hosts.

  20. #20

    Default

    Quote Originally Posted by kenghor
    How to disable System Restore?

    Also, since my system already kenna infected, how to go about installing antivirus? (Just delete the software cos it kept prompting me to renew).

    Got no floppy disk, only CD ROM. Do I've to create a bootable CD first?

    I think i've enabled firewall but now I can't even connect to the net.

    Help....!
    disabling system restore:
    http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •