Oh crap, watch out for the Sasser worm! (1 Viewer)

[Gary->dee]

Yesterday evening while using my new notebook computer and attempting to connect to the internet the following box would repeatedly appear on my screen:


I thought, SHIT! I just bought this damn thing and I'm already having problems?? I couldn't download any Microsoft updates because every time I tried connecting the box would appear and give the dreaded countdown to shut down. Finally I wisened up and used the Windows XP restore method in which I could restore my computer back to a certain point in time before I experienced the problem. Once I did that and everything worked fine again I hit Microsoft's site hard and downloaded a bunch of critical/security updates. The problem seemed to be solved.

I was just looking around Yahoo and lo-and-behold, what I experienced was a wicked worm called the Sasser which is apparently spreading like wildfire, especially to unprotected laptops like mine.

So be warned and read up if you think you've been hit or have the chance.

Yahoo's story on Sasser worm.

What you should know about the worm

 

[Scott_MacD]

I know there's a command which stops the shutdown countdown long enough to get the required updates.. To stop those pesky reboots try:
[*]Clicking the start menu[*]Select Run... [*]In the requester type "shutdown /a" (minus the quotes)[/list]That should abort the shutdown and give you enough time to install patches.

If the countdown starts again, repeat as neccessary

 

[Ricardo C]

I already patched my system, updated my virus scanner, and my firewall.

Meanwhile, my brother, whose PC fell victim to Blaster a while back, game me a "meh, I haven't gotten around to it" when I told him about Sasser. I know it's mean, but I hope the little shit gets a scare. Nothing serious, but enough to make him take better care of his (much more expensive than mine) PC.

 

[Gary->dee]

Thanks for the info, Scott.

No doubt that I was hit by the worm. :frowning:

 

[MikeH1]

Its a good idea to go to microsofts website every couple of weeks or so just to check to see what new critical patches are released and what you need. Its easy to, just click on the "update pc", it scans your pc in seconds and lets you know what patches you have or do not have.

Then download!

 

[Gary->dee]

Yeah this incident has opened my eyes to the importance of the 'automatic updates' feature for Windows. I had turned it off because I didn't want to be bothered but now I realize that was a mistake. :b

 

[Mark Dubbelboer]

i used to be wary of windows updates
i thought, meh if it was important it would be in windows already

Now i'm a windows update nazi. I check at least once a week just in case. There's a utility you can download that will use windows task scheduler to automatically tell you/download the latest updates but I hate clutter on my taskbar.

 

[Philip_G]

this is a nasty mofo, it got a few workstations at work, and either it, or something else got one of their servers.

 

[Neal_C]

Yea, my dad got this worm and I had to do tech support with him over the phone for about an hour. He couldn't download the patch from MS before his computer got shutdown, so I had him run antivirus (AVG) and it found 28 files. It could only clean 27 and the other it couldn't do anything with. I was puzzled for a minute, and then it popped in my head to have him pull up task manager. Sure enough there was a process in there utilizing 40 - 50% CPU useage...it was called AVSERV2.EXE. So I had him end that process and rerun antivirus. This time it found 8 files (so this process had corruped 7 more files in just a couple of minutes) and was able to clean them all. Then he got the security updates loaded and is back in business.

I couldn't stress enough that he needed to keep XP and AVG up to date

Neal

 

[Rob Gillespie]

A firewall should stop this, like with Blaster last year.

Anti-Virus, Patch, Firewall. No excuses.


It's easier just to subscribe to Microsoft's email bulletin which will get sent out every time they release a new patch. Patches typically get released on the 10th-15th of each month but they'll put out ones at other times if required.

 

[Drew Bethel]

>>>Now i'm a windows update nazi

 

[Ted Lee]

yep, it's in the SYSTEM applet in the control panel. the tab is called "automatic updates". just check the first box.

 

[Kris McLaughlin]

oh for the love.... looks like I got this thing, too. Problem is, I'm unable to log in to windows to fix it. Any hints? Google has been no help so far.

Also, my box that comes up is slightlty different than Gary's. Mine refers to the file 'services.exe' instead of 'lsass.exe'. Any thoughts?

Man, I love my PowerBook even more today than I did yesterday.

Thanks for any help!

 

[Gary->dee]

I'm just guessing here but is it possible you can use a boot disk to boot your system up and/or start in safe mode? Then you might be able to access certain parts of your computer like possibly anti-virus software or get online for critical updates, etc.

I wish I could be of further help but I'm not an Apple person. But I do feel for you Kris and I wish you luck! Hopefully someone else here more knowledgable can help you out if my suggestions don't work.

 

[JeremySt]

my uncle got it, and he has norton, but we cant seem to get rid of it. we run virus scan, and it finds nothing. also he is running dial up (a problem wich should be fixed soon)

he is in the process of running windows update, hopefully that does something.

Meanwhile, I have zippo antivirus programs, and have yet to be hit by any virus ever. (knock on wood)

 

[Rob Gillespie]

The only thing that will stop the machine keep getting reinfected is the MS04-011 patch.

 

[Philip_G]

No, a firewall doesn't always stop it.
it took them 20 hours to restore everything from the meyham this thing caused.

 

[Ted Lee]

here's the official microsoft bulletin from technet

http://www.microsoft.com/technet/sec.../ms04-011.mspx

 

[Kris McLaughlin]

Well now that was weird... Looks like I may not have had the worm after all. Playing around w/ the PC, I got it to boot in safe mode & ran the norton removal tool, nothing was found. (!?)

So I booted 'er up normally & all was fine. Ran the tool once more just to be sure, but nothing was found again.

Oddly enough, I think something else was screwed up with the system that just happened to be giving me a nearly identical error message w/ reboot.

Thanks for the info everyone, for one reason or another that PC seems to be working again.

 

[Rob Gillespie]

Well, the patch has been available since the middle of April so...