Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sasser - Removal & Detection Tools


  • Please log in to reply
6 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:10:41 AM

Posted 02 May 2004 - 03:57 PM

SASSER REMOVAL TOOLS

While I hope no one needs this, here are several tools and techniques for removing the Sasser worm. All of these tools are excellent. I prefer the Microsoft Removal Tool instructions (listed first), which includes the MS04-011 security patch required to avoid reinfections.


Microsoft Removal Tool
http://support.microsoft.com/?kbid=841720


McAfee Stinger
http://vil.nai.com/vil/stinger/


Symantec Removal Tools
http://www.symantec.com/avcenter/venc/data...moval.tool.html


F-Secure Removal Tools
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.


Trend Micro Removal Tools
http://www.trendmicro.com/download/dcs.asp



Microsoft - Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot.

Steps from Microsoft's site (includes test button and tools):
http://www.microsoft.com/security/incident/sasser.asp

Manual Removal steps for Technical Users
http://www.microsoft.com/technet/Security/alerts/sasser.mspx


NETWORK LSASS SCANNING TOOLS

eEye offers free scanning network tool -- As a service to the network security community, eEye has announced the availability of a free tool to scan network computers and detect if any are vulnerable to the "Sasser.A" worm currently circulating worldwide. The tool allows administrators to quickly identify vulnerable workstations that do not contain the patch required to protect from the attack, and it provides information on where to locate the patch made available from Microsoft.

Download the FREE Retina Sasser Audit Tool here:
http://www.eeye.com/html/Research/Tools/Do...le=RetinaSasser


This free tool from Foundstone identifies workstations with unpatched MS04-011 LSASS vulnerabilities.

Foundstone DSSCAN tool
http://www.foundstone.com/resources/proddesc/dsscan.htm

Edited by harrywaldron, 02 May 2004 - 03:58 PM.


BC AdBot (Login to Remove)

 


#2 JEservices

JEservices

    helping hand


  • Members
  • 1,700 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:08:41 AM

Posted 02 May 2004 - 04:01 PM

Thank you for the warning. It seems like it is spreading quickly, as I have seen them talking about it on the news.

Well done!
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#3 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:10:41 AM

Posted 05 May 2004 - 08:49 AM

Microsoft is hosting the Sasser cleanup tool on Windows Update.

Over 1.5 MILLION users cleaned by WU alone according this article:

http://www.incidents.org/diary.php?date=2004-05-04

Some numbers about Sasser:

* According Microsoft, 1.5 million users downloaded the cleanup tool via Windows Update.

* The Internet Storm Center numbers are close to Microsoft:

- 500k on May 1st
- 700k on May 2nd


Edited by harrywaldron, 05 May 2004 - 08:49 AM.


#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,595 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:41 AM

Posted 06 May 2004 - 10:54 AM

Kaspersky Labs has just added a removal tool:

Kaspersky Labs, a leading information security software developer, now has a free utility to remove the network worm Sasser.
(http://www.viruslist.com/eng/alert.html?id=1437429) The utility can be
downloaded from ftp://ftp.kaspersky.com/utils/clrav/.
(ftp://ftp.kaspersky.com/utils/clrav/)


The thing about people

is they change

when they walk away.--Mipso


#5 dudeman

dudeman

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Location:TX
  • Local time:09:41 AM

Posted 07 May 2004 - 03:38 PM

My project is US military wide and we didn't have a clue what was happening for about an hour. Every single military site we have a box at got hit all at the same time. it was weird. :flowers: blaster wasn't even that bad. it got cleaned off a lot faster and easier than the blaster worm and the welcia. We are all good now. :thumbsup:

Edited by dudeman, 07 May 2004 - 03:38 PM.


#6 Guest_Plimsol_*

Guest_Plimsol_*

  • Guests
  • OFFLINE
  •  

Posted 07 May 2004 - 04:23 PM

Yeah I found getting rid of sasser extremely easy and painless.

End the process, attrib -r , and delete.

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,542 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA

Posted 07 May 2004 - 04:25 PM

Same here. Wasnt too bad.

What I have found though, are a lot of clients getting hacked to bits with the lsass exploit. Just yesterday I cleaned up a client that had been hacked...and the hacker was running an autohacker for the lsass exploit. His scan file showed 750 vulnerable systems.

Needless to say, my client got a good kick in the butt for not updating.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users