keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
2 edits | MS releases Sasser worm variant removal tool
Worm symptoms, the tool and instructions are here:
A tool is available to remove the Sasser worm variants
»support.microsoft.com/?kbid=841720
(DonnaB discovered the link. I thought it deserved the visibility of its own topic.  )
Make sure you also run Windows Update to get the 835732 (MS04-011) security update that prevents getting this infection.
In fact, install all "Critical Fixes and Service Packs" that "Windows Update" suggests. (Ignore updates in other catagories unless you really need them.)
More simple MS security steps here: »www.microsoft.com/security/protect/ |
|
keith2468
Premium,MVM
join:2001-02-03
Winnipeg, MB
4 edits | First go here and follow Micrsoft's recommended
First, go here and follow Micrsoft's recommended actions step-by-step here:
»www.microsoft.com/security/incid···sser.asp
(Note that the first step is not removing the worm. You need to take 2 steps to prevent immediate re-infection first.)
More on Sasser variants here:
»isc.sans.org/diary.php
If there is a continuing problem, it may be something else. Follow the steps here: »Security »I think my computer is infected or hijacked. What should I do? |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| Re: First go here and follow Micrsoft's recommende
Cool... I downloaded the MS removal tool, the Symantec removal tool the F-Secure removal tool, plus the MS04-011 patches, and made several CD copies. I'm all set for the carnage that I'm sure I'll walk into at work tomorrow. 
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
shawn01
join:2004-02-26
Summerfield, FL | so wins 98 isn't affected by this sasser virus |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
| Windows 95/98/98SE/ME are not vulnerable to this attack, first off because Sasser targets port 445 SMB. On the older versions of Windows this functionality sits on 339 and is different enough to be exempt from this attack, but of course there are attacks designed for these vulnerable older systems as well.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
sheepexplode
Premium
join:2002-06-02
Duality
clubs: | reply to keith2468
Re: MS releases Sasser worm variant removal tool
Has anyone come up with a command line scanneer for Sasser?
--
»Security »I think my computer is infected or hijacked. What should I do? |
|
Name Game
Premium
join:2002-07-07
North Myrtle Beach, SC
| said by sheepexplode  :
Has anyone come up with a command line scanneer for Sasser?
did you try f-port and Symantec ??
1.2 Command-Line Scanner
Command-line scanners are currently the most common scanners available for UNIX. In addition to all the basic functions of a virus scanner, the F-Prot Antivirus Command-Line Scanner can be scheduled to perform scans using cronjobs. The F-Prot Antivirus Command-Line Scanner can be used with a third party application. Simple, yet secure, the F-Prot Antivirus Command-Line Scanner is an ideal solution for individual workstations.
By default the Command-line scanner scans by file-type abd reports to STDOUT, it only lists files which are found to be infected.
W32.Sasser Removal Tool
Available command-line switches for this tool
»securityresponse.symantec.com/av···ool.html
--
Gladiator Security Forum »www.gladiator-antivirus.com/ Missing Kidshttp://www.missingkids.com/ |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to Link Logger
Re: First go here and follow Micrsoft's recommende
said by Link Logger :
On the older versions of Windows this functionality sits on 339 and is different enough to be exempt from this attack
Typo as that should be '139'.
Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel |
|
sheepexplode
Premium
join:2002-06-02
Duality
clubs:
| reply to Name Game
Re: MS releases Sasser worm variant removal tool
said by Name Game :
said by sheepexplode :
Has anyone come up with a command line scanneer for Sasser?
did you try f-port and Symantec ??
1.2 Command-Line Scanner
Command-line scanners are currently the most common scanners available for UNIX. In addition to all the basic functions of a virus scanner, the F-Prot Antivirus Command-Line Scanner can be scheduled to perform scans using cronjobs. The F-Prot Antivirus Command-Line Scanner can be used with a third party application. Simple, yet secure, the F-Prot Antivirus Command-Line Scanner is an ideal solution for individual workstations.
By default the Command-line scanner scans by file-type abd reports to STDOUT, it only lists files which are found to be infected.
W32.Sasser Removal Tool
Available command-line switches for this tool
»securityresponse.symantec.com/av···ool.html
I am looking for something I can use to scan our network. eEye has one that you can scan a class C subent, but I want to scan an A subnet.
Thanks
--
»Security »I think my computer is infected or hijacked. What should I do? |
|
kpatz
MY HEAD A SPLODE
Premium
join:2003-06-13
Manchester, NH
| reply to sheepexplode
said by sheepexplode :
Has anyone come up with a command line scanneer for Sasser?
F-Secure has a Sasser removal tool that can be run from a command line:
»ftp://ftp.f-secure.com/anti-virus/tool···sser.zip
--
Robert Tappan Morris, Jr., got six months in jail for crashing 10% of the computers that Bill Gates made $100 million crashing last weekend. |
|
Mahanri
@af.mil
| reply to sheepexplode
FoundStone has a scanner. It's good, and really fast. Go here to get it:
»www.foundstone.com/index.htm?sub···scan.htm |
|
ferchl
join:2004-05-10
New York, NY
| reply to keith2468
I wrote a script to automate the Microsoft-recommended Sasser removal steps. It's helped me to fix infected computers a little faster. Anyone interested can grab a copy here:
»users.rcn.com/ferchl/Sasser-Fix.exe
Comments and/or suggestions for improvement are most welcome. Note: You can open and examine the file with WinZip. It's just a VBScript file and a few utilities. |
|
