Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sending sassor worm (inadvertantly)


  • Please log in to reply
12 replies to this topic

#1 MrsRat

MrsRat

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mississippi,but my heart and soul are home in OHIO!
  • Local time:03:12 AM

Posted 13 May 2005 - 07:31 AM

My computer is windows xp updated, firewall protected, with updated virus protection. I keep my system running tip top. I didn't know till yesterday that my sisters comp. has no firewall, no updated virus scanner and has never ran any win. xp patches or updates. I sent her an email with an attachment that I scanned before even sending. She never opened the attachment because she said theres not much space on her computer. After repling back to me her computer started going haywire and sending lsa shell export version encountered a problem and of coarse kept shutting down windows. I looked it up, found its a sassor worm, and tried to help her clean her computer (by phone). She's a mess. we can't access hardly anything due to no available space. We couldnt even shut down system restore so we could run a worm removal. Turns out she's never defragmented either. We did that and it didn't help enough. We searched through her task manager looking under processes to find any sassor culprets. We didnt find any of the ones mentioned for the sassor worm but I read that new variants are constantly comming up. I need to find an updated list of the sassor attachments.
I really need to know...... Did I send her this? I ran a malicious software removal program and scanned my computer but nothing was found. I re scanned the draft of the letter I sent her. Still nothing. I feel terrible because she needs her computer for work and I need to know if I inadvertantly did this to her computer!!
I wouldnt want this to ever happen again if I did. Is something hiding on my computer???? Can I send a worm if I don't have one?? We both have windows xp and DSL.
Thanks in advance to anyone who replies to this post.

Edited by MrsRat, 13 May 2005 - 07:38 AM.

~ Tamara


Be not forgetful to entertain strangers for thereby some have entertained angels unawares.
Hebrews 13:2

BC AdBot (Login to Remove)

 


#2 Leurgy

Leurgy

    Voted most likely


  • Members
  • 3,831 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Collingwood, Ontario, Canada
  • Local time:03:12 AM

Posted 13 May 2005 - 08:48 AM

Download and run the McAfee AVERT Stinger on your your computer. It is a special tool to detect and remove some common viruses including the Sasser worm. It has been updated to 5/02/2005 but its a good tool. According to McAfee again, this worm finds vunerable computers that don't have a firewall. Don't beat yourself up about this because your sisters computer is wide open and it was only a matter of time before she got something. Its amazing she lasted this long. No doubt she is infested with malware. I've seen unprotected computers come up with in excess of 600 viruses after a half an hour connected to the internet without protection.

Again, don't feel badly. Its not your fault.

When the only tool you own is a hammer, every problem begins to resemble a nail. Abraham Maslo

**** We use our powers for good, not evil ****

 Trying to remove your data from the web is like trying to remove pee from a swimming pool


#3 Herk

Herk

  • Members
  • 1,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:S.E. Idaho, USA
  • Local time:04:12 AM

Posted 13 May 2005 - 11:54 AM

Sounds like the first thing she needs to do is get some hard drive space. She needs to delete Temporary Internet files and Windows Temp files if she hasn't already. Temporary Internet Files can be deleted from within Internet Explorer through the Tools -> Internet Options tab. To delete Temp files click Start -> Run and type %temp%, then when the window opens, click on Tools -> Folder Options and under the View tab click on "Show Hidden Files" and uncheck "Hide Protected Operating System Files." Then click Edit and choose "Select All" and press the Delete button. That may free up considerable space, assuming she hasn't been performing any regular maintenance.

Also, she can uninstall programs which are unnecessary or files she no longer needs.

Once she has enough space to work in, she can begin cleaning and installing antivirus and other protections. She also needs to get Windows Updates - she should have been protected against the Sasser worm.

And it's unlikely that you sent it to her, given all the protections you have.

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 13 May 2005 - 12:45 PM

I agree with Herk. Although anything is possible, it is highly unlikely your email infected her.

She never opened the attachment because she said theres not much space on her computer.

If she never opened the attachment then she didn't get infected from it.

It sounds to me like her problem is a severe lack of disk space and severe neglect. I would have her back up her important data and do a reinstall and start fresh.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#5 MrsRat

MrsRat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mississippi,but my heart and soul are home in OHIO!
  • Local time:03:12 AM

Posted 14 May 2005 - 02:23 PM

Thanks Everyone!! I downloaded "stinger" and ran it. It came up clean. "whew"
Of coarse I couldn't leave well enough alone. I ran 3 different on line scans. 2 of them come out clean but pc pitstop detected a trojan!!! :thumbsup:
Downloader -yh ??? I thought since macafee was the only site to detect it , their probably just saying that to get me to buy their software. LOL "silly me"
I read and rescaned and finally my norton discovered it - It still took most the night to finally get it off! Thanks again for all your help! You all are great!
*so do you still think I didn't send it to her? :flowers: I hope not! lol *

Edited by MrsRat, 14 May 2005 - 02:58 PM.

~ Tamara


Be not forgetful to entertain strangers for thereby some have entertained angels unawares.
Hebrews 13:2

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 14 May 2005 - 03:24 PM

Hi Tamara,
I still stick by the statement that it is highly unlikely your email infected her. We know the attachment didn't infect her since she didn't open it. It is possible that the email itself contained an exploit that could have done something if your friend is reading email in html instead of plain text. But if I understand correctly, she would have to have clicked on an infected link, just opening the email wouldn't do it.

Check McAfee's entire description of Downloader-YH:

Downloaders are not viruses, and as such do not themselves contain any method to replicate. However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the Downloader onto the user's system with no user interaction.

If you wrote the email yourself (i.e., it wasn't forwarded from another source), and it had no infected links, then what you sent isn't to blame for any of her infections--she already had enough of those from an unprotected and unpatched OS/IE.

What may have happened, and this is just a guess, is the email you sent used up the last bit of available disk space.

I'm wondering what you did to clean up your own system--whether or not it was a false positive and which file/s you may have deleted. That is a pretty nasty trojan, and, even tho trojans don't spread themselves in the same way a virus does, this one is root kit based and there may be some other files you need to get rid of. And I'm curious how you got Norton to "see" it.

If you want to get a check up to make sure you are clean, I would strongly suggest you let us look at a HijackThis Log.

Edited by Papakid, 14 May 2005 - 03:26 PM.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#7 MrsRat

MrsRat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mississippi,but my heart and soul are home in OHIO!
  • Local time:03:12 AM

Posted 14 May 2005 - 04:59 PM

Im not sure why Norton wasn't picking the trojan up. I have a program that has adware attached to it. Limewire ( I hesitated to mention that because once someone hears "limewire" it's case closed, bad bad bad get rid of it.) One of the first things I did was remove limewire and then clear out all adware. Then I even went as fas as removing my virus scanner. I ran a trial version of Mcafee's Managed VirusScan. It picked up the downloader with a few other files. It cleaned all but one up. (winup2date.dll) I ran it a few times to see if it would get it because deleating a windows/system32 dll is a little too risky for me. I then deleated Mcafee and reinstalled my norton (so the two wouldn't conflict with one another). I ran the updater then I went to the norton site and tried doing a few updates manually. It's pretty new (downloader -yh) from what read. I thought maybe it wasn't updated yet. Then I scanned my system and it was there. Norton saw it but couldn't fix it. Desperate times call for desperate measures so did something I had seen earlier while searching for solutions. It was from the Mcafee site in the posts. Heres the address of that site (too long to copy and paste)
http://forums.mcafeehelp.com/viewtopic.php?t=46186

I did download Hijack This, but I didn't need it. Also I wasn't up to figuring out what to remove and not remove . At least right this second. I'm sure I'll check it out later.
After several reboots I'm still virus & trojan free :thumbsup:
This probably seems like I did alot of unneccesary tinkering - I'm sure there's probably a much easier way but I enjoy tring to troubleshoot and tinker with
my pc (that's my baby) until the problems fixed (or until I have to Clear off my hard drive and re-run windows LOL.)

Edited by MrsRat, 14 May 2005 - 11:53 PM.

~ Tamara


Be not forgetful to entertain strangers for thereby some have entertained angels unawares.
Hebrews 13:2

#8 MrsRat

MrsRat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mississippi,but my heart and soul are home in OHIO!
  • Local time:03:12 AM

Posted 14 May 2005 - 11:52 PM

Your probably all afraid to respond to my posts now :thumbsup:
For fear :flowers: I might give you a virus. (I hope not)
OK .................. so, I'm a little paranoid now. :trumpet:
Can you blame me ?
~ Tamara


Be not forgetful to entertain strangers for thereby some have entertained angels unawares.
Hebrews 13:2

#9 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:03:12 AM

Posted 15 May 2005 - 12:04 AM

I don't think anyone can blame you. The WEB is a very unsafe place unless you take precautions about what you download, use the appropriate applications to clean (and prevent) malware.
And the consequences of not taking precautions are becomming more and more serious, from turning your computer into a bot, to identify theft, to making your computer completely useless.
Regards,
John
Whereof one cannot speak, thereof one should be silent.

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 15 May 2005 - 12:19 AM

No, Tamara, not afraid. :thumbsup: Personally I have a lot of comments to make, but at the moment am involved in trying to teach some people how to use HijackThis. For now, I will say that my advice before still stands. I really think it would be to your benefit to post a HijackThis log in our logs forum. Even if it's just to get an all clear.

The file you mentioned is for Virtual Bouncer but is also associated with Qoologic, which is a real PIA. It injects itself into the Windows Explorer process itself which makes the removal procedure fairly complex and it hides itself very well. You may have removed most of the files, but I didn't see you mention cleaning up the registry. And while I admire your desire to figure out the problem and troubleshoot on your own, you did say this:

Also I wasn't up to figuring out what to remove and not remove .


The HJT Team is trained to figure out how to remove this stuff safely and a lot of it has been figured out already. And you will learn a lot from the experience. Also it is never advisable to try to use HijackThis unless you know exactly what you are doing, especially with an infection like this.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#11 MrsRat

MrsRat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mississippi,but my heart and soul are home in OHIO!
  • Local time:03:12 AM

Posted 15 May 2005 - 07:39 AM

Your right Papakid, about the file I mentioned, being associated with
Qoologic. (Is that why you have six blue boxes under your name and I only have one?) It said it was adware.
Thanks for your advice about running HijackThis. I'll think about posting a log in the log forum. Thats not like waving around your personals in front of people is it? No telling what's on there. I'm shy. :thumbsup:
Hum............ :flowers: Clean up my registry? ??
~ I'll be right back ~ :trumpet:

Edited by MrsRat, 16 May 2005 - 02:51 AM.

~ Tamara


Be not forgetful to entertain strangers for thereby some have entertained angels unawares.
Hebrews 13:2

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,663 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:12 AM

Posted 15 May 2005 - 10:11 AM

Tamara, I didn't intend for you to go rooting around in your registry on your own. This is really important. The point I was trying to make was that you may still be infected and what you did was remove files and other steps need to be taken. If you remove Qoologic incorrectly or make a mistake in the registry, you could make your baby unbootable. I'm not trying to make you feel stupid, just be careful and make a backup of the registry before you remove anything.

Basically HijackThis is a combination of a registry editor and startup manager. Just like you always get warnings to be extremely careful before going into the registry, we are extremely careful when using HijackThis and who can help you with it. It is a bit like exposing your PC's undies, but what is the first thing a doctor tells you to do during a check up? It's really not all that bad.

And sorry about the PIA thing--that's slang, not a technical term. It stands for Pain In the A**.

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan


#13 MrsRat

MrsRat
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Location:Mississippi,but my heart and soul are home in OHIO!
  • Local time:03:12 AM

Posted 16 May 2005 - 01:13 AM

Papakid - I knew you didn't mean for me to go rooting around in my computer. "LOL" I was just laughing at myself. .I knew exactly what you were saying, and I appreciate all your input. I value any and all advice. It's exciting to hear the suggestions and knowledge everyone is so willing to share. I don't know very much about hackers, Virus', trojans -or the mechanics of my operating system, but rest assured that I do know enough to have a back up disk. I'm sorry, I knew I should of mentioned that. It's never been in my character to be satisfied just knowing "it's broken" or "it doesn't work". I almost always need to know why it's that way and can I fix it instead of having it fixed. It becomes a challenge for me despite my lack of. A few years ago I sat in front of a computer for the first time! I was scared to death to touch it. I knew nothing (even less then I now know LOL). My first computer was such a piece of junk, when it broke down - and it did several times - I had nothing to lose trying to fix it. I'm no stranger to self-induced PC problems, "Big shocker there huh?" - but thats when I first started . I knew when I ran hijack-this it was way over my head. I made that mistake once - and only once - using system mechanic.

Edited by MrsRat, 16 May 2005 - 03:11 PM.

~ Tamara


Be not forgetful to entertain strangers for thereby some have entertained angels unawares.
Hebrews 13:2




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users