 Sasser - Removal & Detection Tools |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.  |
  May 2 2004, 03:57 PM
Post
#1
|
|
 Security Reporter  Group: Members Posts: 509 Joined: 10-April 04 From: Roanoke, Virginia Member No.: 107  |
While I hope no one needs this, here are several tools and techniques for removing the Sasser worm. All of these tools are excellent. I prefer the Microsoft Removal Tool instructions (listed first), which includes the MS04-011 security patch required to avoid reinfections. Microsoft Removal Tool http://support.microsoft.com/?kbid=841720 McAfee Stinger http://vil.nai.com/vil/stinger/ Symantec Removal Tools http://www.symantec.com/avcenter/venc/data...moval.tool.html F-Secure Removal Tools ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt Before using the tool please read the disinfection instructions from 'f-sasser.txt'. Trend Micro Removal Tools http://www.trendmicro.com/download/dcs.asp Microsoft - Manual Disinfection To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot. Steps from Microsoft's site (includes test button and tools): http://www.microsoft.com/security/incident/sasser.asp Manual Removal steps for Technical Users http://www.microsoft.com/technet/Security/alerts/sasser.mspx NETWORK LSASS SCANNING TOOLS eEye offers free scanning network tool -- As a service to the network security community, eEye has announced the availability of a free tool to scan network computers and detect if any are vulnerable to the "Sasser.A" worm currently circulating worldwide. The tool allows administrators to quickly identify vulnerable workstations that do not contain the patch required to protect from the attack, and it provides information on where to locate the patch made available from Microsoft. Download the FREE Retina Sasser Audit Tool here: http://www.eeye.com/html/Research/Tools/Do...le=RetinaSasser This free tool from Foundstone identifies workstations with unpatched MS04-011 LSASS vulnerabilities. Foundstone DSSCAN tool http://www.foundstone.com/resources/proddesc/dsscan.htm This post has been edited by harrywaldron: May 2 2004, 03:58 PM -------------------- |
 |
 
|
|
May 2 2004, 04:01 PM
Post
#2
|
|
 helping hand Group: Members Posts: 1,700 Joined: 14-April 04 From: Texas Member No.: 150 |
Thank you for the warning. It seems like it is spreading quickly, as I have seen them talking about it on the news.
Well done! -------------------- We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn. |
|
|
|
|
May 5 2004, 08:49 AM
Post
#3
|
|
|
Security Reporter Group: Members Posts: 509 Joined: 10-April 04 From: Roanoke, Virginia Member No.: 107 |
Microsoft is hosting the Sasser cleanup tool on Windows Update.
Over 1.5 MILLION users cleaned by WU alone according this article: http://www.incidents.org/diary.php?date=2004-05-04 QUOTE Some numbers about Sasser:
* According Microsoft, 1.5 million users downloaded the cleanup tool via Windows Update. * The Internet Storm Center numbers are close to Microsoft: - 500k on May 1st - 700k on May 2nd This post has been edited by harrywaldron: May 5 2004, 08:49 AM -------------------- |
|
|
|
|
May 6 2004, 10:54 AM
Post
#4
|
|
 Guru at being a Newbie Group: HJT Team Posts: 5,916 Joined: 8-April 04 Member No.: 96 |
Kaspersky Labs has just added a removal tool:
QUOTE Kaspersky Labs, a leading information security software developer, now has a free utility to remove the network worm Sasser.
(http://www.viruslist.com/eng/alert.html?id=1437429) The utility can be downloaded from ftp://ftp.kaspersky.com/utils/clrav/. (ftp://ftp.kaspersky.com/utils/clrav/) -------------------- Put the lime in the coconut and drink 'em both together
Put the lime in the coconut, then you'll feel better. --Harry Nilsson Papa was a rolling stone. Where ever he laid his hat was his home. --The Temptations |
|
|
|
|
May 7 2004, 03:38 PM
Post
#5
|
|
 Member Group: Members Posts: 38 Joined: 5-April 04 From: TX Member No.: 81 |
My project is US military wide and we didn't have a clue what was happening for about an hour. Every single military site we have a box at got hit all at the same time. it was weird.
 blaster wasn't even that bad. it got cleaned off a lot faster and easier than the blaster worm and the welcia. We are all good now. 
This post has been edited by dudeman: May 7 2004, 03:38 PM |
|
|
|
| Plimsol |
May 7 2004, 04:23 PM
Post
#6
|
|
Guests |
Yeah I found getting rid of sasser extremely easy and painless.
End the process, attrib -r , and delete. |
|
|
|
|
May 7 2004, 04:25 PM
Post
#7
|
|
 Bleep Bleep! Group: Admin Posts: 31,509 Joined: 24-January 04 From: USA Member No.: 3 |
Same here. Wasnt too bad.
What I have found though, are a lot of clients getting hacked to bits with the lsass exploit. Just yesterday I cleaned up a client that had been hacked...and the hacker was running an autohacker for the lsass exploit. His scan file showed 750 vulnerable systems. Needless to say, my client got a good kick in the butt for not updating. -------------------- |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 8th November 2009 - 02:38 AM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.