Sasser Worm


Status
Not open for further replies.

Barrios

Senior Member
May 19, 2002
715
0
16
57
Visit site
#2
Just got SASSER this morning after I uninstalled my Norton. A dialog box read "NT Authority" followed by some "lsass.exe" thingy. To make things worse, I also got the GAOBOT. Gosh, the PC is so vulnerable without an antivirus software. Sasser wasn't so bad but Gaobot prevented me from accessing the Symantec and other popular antivirus websites. Once I managed to manually remove the obstacles and update NAV, NAV cleared them all. Thank goodness.
 

karwing

New Member
Dec 1, 2003
93
0
0
44
AMK
#3
Barrios said:
Just got SASSER this morning after I uninstalled my Norton. A dialog box read "NT Authority" followed by some "lsass.exe" thingy. To make things worse, I also got the GAOBOT. Gosh, the PC is so vulnerable without an antivirus software. Sasser wasn't so bad but Gaobot prevented me from accessing the Symantec and other popular antivirus websites. Once I managed to manually remove the obstacles and update NAV, NAV cleared them all. Thank goodness.
yup got it too... sigh

seems that it's so new that there are so many variant to it. must get the latest updated the virus def from norton, the most recent one (dated 29 Apr) won't help in detecting Sasser.
 

#4
karwing said:
yup got it too... sigh

seems that it's so new that there are so many variant to it. must get the latest updated the virus def from norton, the most recent one (dated 29 Apr) won't help in detecting Sasser.
u need version 5/1/2004 rev.23 of the virus definition file to get rid of the worm..

i got the worm too! :cry:
 

mich_2103

New Member
Jul 26, 2003
193
0
0
35
Visit site
#5
Barrios said:
Just got SASSER this morning after I uninstalled my Norton. A dialog box read "NT Authority" followed by some "lsass.exe" thingy. To make things worse, I also got the GAOBOT. Gosh, the PC is so vulnerable without an antivirus software. Sasser wasn't so bad but Gaobot prevented me from accessing the Symantec and other popular antivirus websites. Once I managed to manually remove the obstacles and update NAV, NAV cleared them all. Thank goodness.
Hey everyone,
I kana GAOBOT like a week ago and it works like the same as the Blaster worm. It will pop up this small window with this 1 minute countdown timer thingy. However, I have tried all kinds of ways to remove the stupid worm but without any success.

Microsoft emailed me to update the latest service pack because my laptop is vulnerable. I tried but the countdown timer thing will pop up before I can finish downloading. And worst, I'm using dial-up so downloading can take up all day.

I downloaded the virus removal tool from the Symantec website to remove the GAOBOT worm. Run for like so many times already but still cannot get rid of the worm. :cry:

I think from the description above, I think I have also kana the SASSER virus. :cry:

Can some kind soul out there help me out on how to get the viruses and worms out of my laptop? It's driving me crazy!! :confused:

Desperate,
-Michelle- :sweat:

P.S - I am using the Norton 2002 version.
 

A70

New Member
May 2, 2003
42
0
0
Singapore
Visit site
#6
mich_2103 said:
Hey everyone,
Microsoft emailed me to update the latest service pack because my laptop is vulnerable. I tried but the countdown timer thing will pop up before I can finish downloading. And worst, I'm using dial-up so downloading can take up all day.
Microsoft will never email anyone to with an update patch. That was a virus/worm at work, masquerading as Microsoft, to get unknowing users to click on the link/attachment to activate it.
 

#7
mich_2103 said:
Hey everyone,
I kana GAOBOT like a week ago and it works like the same as the Blaster worm. It will pop up this small window with this 1 minute countdown timer thingy. However, I have tried all kinds of ways to remove the stupid worm but without any success.

Microsoft emailed me to update the latest service pack because my laptop is vulnerable. I tried but the countdown timer thing will pop up before I can finish downloading. And worst, I'm using dial-up so downloading can take up all day.

I downloaded the virus removal tool from the Symantec website to remove the GAOBOT worm. Run for like so many times already but still cannot get rid of the worm. :cry:

I think from the description above, I think I have also kana the SASSER virus. :cry:

Can some kind soul out there help me out on how to get the viruses and worms out of my laptop? It's driving me crazy!! :confused:

Desperate,
-Michelle- :sweat:

P.S - I am using the Norton 2002 version.
Hi Michelle,

you can try doing this:

Use someone's comp to go onto the internet. Go to Symantec's website and download the virus removal tool for both GAOBOT & SASSER.

Save them in a diskette and then run them on your comp.

It should work.

PM me if you need any help.

Regards
meepokman
 

mich_2103

New Member
Jul 26, 2003
193
0
0
35
Visit site
#8
meepokman said:
Hi Michelle,

you can try doing this:

Use someone's comp to go onto the internet. Go to Symantec's website and download the virus removal tool for both GAOBOT & SASSER.

Save them in a diskette and then run them on your comp.

It should work.

PM me if you need any help.

Regards
meepokman
Hi meepokman,
I have downloaded the virus removal tool from Symantec's website for both GAOBOT and SASSER to my laptop. I tried running them on my laptop but they just told me they did not find any worms/viruses in my laptop.

Funny thing is the moment I activate my internet connection after I restart my computer, this stupid countdown timer thingy pops up again. So obviously, there is still a virus/worm inside my laptop.

ARRGHH!!!!!! :angry:

Pissed off,
-Michelle- ;(
 

mich_2103

New Member
Jul 26, 2003
193
0
0
35
Visit site
#9
A70 said:
Microsoft will never email anyone to with an update patch. That was a virus/worm at work, masquerading as Microsoft, to get unknowing users to click on the link/attachment to activate it.
Hi,
I didn't exactly receive an email from Microsoft. It's just the message after I finished running the virus removal tool from Symantec for the GAOBOT worm. They told me my system is vulnerable and the GAOBOT virus can come in different variants, especially for this RPC thingy, and gave me the Microsoft website and asked me to download the service pack from there.

Sian man... This stupid worm thingy... :cry:

Irritated,
-Michelle-
 

DarkForce

Senior Member
May 1, 2004
1,971
0
0
newbie land
#10
mich_2103 said:
Hi meepokman,
I have downloaded the virus removal tool from Symantec's website for both GAOBOT and SASSER to my laptop. I tried running them on my laptop but they just told me they did not find any worms/viruses in my laptop.

Funny thing is the moment I activate my internet connection after I restart my computer, this stupid countdown timer thingy pops up again. So obviously, there is still a virus/worm inside my laptop.

ARRGHH!!!!!! :angry:

Pissed off,
-Michelle- ;(
Hi mich_2103,

Are u using XP or WinME? How does the countdown screen look like , say the type of message appear in the dialog box

Maybe you could do a free full system scan from

http://us.mcafee.com/root/mfs/default.asp?cid=9914

once you find out the correct virus name then get the correct tools to kill it :D
 

#11
mich_2103 said:
Hi,
I didn't exactly receive an email from Microsoft. It's just the message after I finished running the virus removal tool from Symantec for the GAOBOT worm. They told me my system is vulnerable and the GAOBOT virus can come in different variants, especially for this RPC thingy, and gave me the Microsoft website and asked me to download the service pack from there.

Sian man... This stupid worm thingy... :cry:

Irritated,
-Michelle-
from http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html ,

Removal using the W32.Sasser Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.Worm. This is the easiest way to remove this threat and should be tried first.

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


1. End the malicious process.
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan and delete all the files detected as W32.Sasser.Worm.
5. Reverse the change made to the registry.
 

mich_2103

New Member
Jul 26, 2003
193
0
0
35
Visit site
#12
DarkForce said:
Hi mich_2103,

Are u using XP or WinME? How does the countdown screen look like , say the type of message appear in the dialog box

Maybe you could do a free full system scan from

http://us.mcafee.com/root/mfs/default.asp?cid=9914

once you find out the correct virus name then get the correct tools to kill it :D
Hi DarkForce,
Like what Barrios described, it said something about "NT Authority" and something "Isass.exe" thingy. Then it has this 1 minute timer thingy that starts counting down. I believe this is the work by the SASSER virus.

But it can also come in other variants for the pop-up timer. There's also another kind that tells me something about my RPC in the dialog box. I believe this is the GAOBOT worm's at work.

Sadly, my Norton can detect them, but cannot repair them. Now even worse - can't even quarantine them so I have to resort into deleting the affected files.

Sigh... any IT/computer gurus out there have any other alternative to rid this stupid thing?

Desperate,
-Michelle-
 

#13
mich_2103 said:
Hi DarkForce,
Like what Barrios described, it said something about "NT Authority" and something "Isass.exe" thingy. Then it has this 1 minute timer thingy that starts counting down. I believe this is the work by the SASSER virus.

But it can also come in other variants for the pop-up timer. There's also another kind that tells me something about my RPC in the dialog box. I believe this is the GAOBOT worm's at work.

Sadly, my Norton can detect them, but cannot repair them. Now even worse - can't even quarantine them so I have to resort into deleting the affected files.

Sigh... any IT/computer gurus out there have any other alternative to rid this stupid thing?

Desperate,
-Michelle-
for your Gaobot virus,

Removal using the Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.HLLW.Gaobot.ADX. This is the preferred method in most cases.


Manual Removal
Perform a manual removal if you cannot obtain the tool.

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


1. Disable System Restore (Windows Me/XP).
2. Restart the computer in Safe mode or VGA mode.
3. Reverse the changes made to the registry.
4. Update the virus definitions.
5. Run a full system scan and delete all the files detected as W32.Gaobot.ADX.
 

yaoxing

Senior Member
Feb 16, 2003
687
0
16
42
Bedok, Singapore
Visit site
#14
mich_2103 said:
Hi meepokman,
I have downloaded the virus removal tool from Symantec's website for both GAOBOT and SASSER to my laptop. I tried running them on my laptop but they just told me they did not find any worms/viruses in my laptop.

Funny thing is the moment I activate my internet connection after I restart my computer, this stupid countdown timer thingy pops up again. So obviously, there is still a virus/worm inside my laptop.

ARRGHH!!!!!! :angry:

Pissed off,
-Michelle- ;(
Disable your System Restore and boot into safe mode before scanning.
 

Jan 23, 2002
708
3
18
Visit site
#15
Dont forget that the source of your infection is that you probably dont have the Microsoft security patch MS04-11, 12 and 14. The virus will reinfect your system even if you kill it without patching the hole in Win 2K, XP etc. Easiest way to get the MS patches is to visit windowsupdate site and download them.
 

Barrios

Senior Member
May 19, 2002
715
0
16
57
Visit site
#16
It had been an eventful Sunday for me. Struck by variants of Gaobot twice in one day and Sasser too :sweat: How come didn't strike 4-D :dunno: I managed to get rid of them all and get my PC working normally again but not forgetting to update my security updates this time around. My experience was that the virus (don't know which one) not only shut down my NAV but also stopped me from going online too. Damn it big time! :blah: Lucky for me I have another good old Pentium 2 beside my P4 and my P2 actually saved the day.

What I did was I downloaded 3 removal tools from Symantec using my P2 - FxGaobot, FxGaobotUJ and FxSasser - and ran them on my P4. Sasser was immediately removed but Gaobot was not detected at all (probably of the variants). But I still couldn't enable my NAV 2003 program. Next, I re-booted my PC in "safe mode" and ran the NAV, thank goodness it worked. This time it managed to detect 2 files but deleted only 1 and quarantined 1 (the "hosts" file). Feeling uneasy with the quarantine thingy, I manually deleted the "hosts" file and patch it back using the "hosts" file copied from my P2. (The "hosts" file is responsible for getting online, without it no can do). Re-booted my P4 in normal mode....wa lah....I'm online. :bsmilie:
 

kenghor

New Member
Aug 17, 2002
607
0
0
#17
How to disable System Restore?

Also, since my system already kenna infected, how to go about installing antivirus? (Just delete the software cos it kept prompting me to renew).

Got no floppy disk, only CD ROM. Do I've to create a bootable CD first?

I think i've enabled firewall but now I can't even connect to the net.

Help....!
 

MatthewSCL

New Member
Apr 22, 2002
761
0
0
Central
#18
Damn!!!,,,I Gana also..

and i notice i got it when i was doing a windows update...read from some where that the virus attacks the windows update patches for itself...so how to patch when the patch also gana virus.....?????
 

Barrios

Senior Member
May 19, 2002
715
0
16
57
Visit site
#19
kenghor said:
How to disable System Restore?

Also, since my system already kenna infected, how to go about installing antivirus? (Just delete the software cos it kept prompting me to renew).

Got no floppy disk, only CD ROM. Do I've to create a bootable CD first?

I think i've enabled firewall but now I can't even connect to the net.

Help....!
If yours is XP, cannot do any installation in Safe Mode. Else, go to Safe Mode and do it. Internet access is blocked by Gaobot cos it has changed your hosts.
 

innovas1

New Member
Jun 6, 2003
377
0
0
SG
#20
kenghor said:
How to disable System Restore?

Also, since my system already kenna infected, how to go about installing antivirus? (Just delete the software cos it kept prompting me to renew).

Got no floppy disk, only CD ROM. Do I've to create a bootable CD first?

I think i've enabled firewall but now I can't even connect to the net.

Help....!
disabling system restore:
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
 

Status
Not open for further replies.
Top Bottom