IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Seems to be a common problem.
Check [link|http://www.annoyances.org/exec/forum/win2000/t1082093719|this] thread at annoyances.org

HTH.

Cheers,
Scott.
New Must be a lot of concerned users - server to busy ...

Tried going to the linked site but keep getting message that there are more users linking in than it can service.

On a similar vein (the virus) ...
Today I had a new cable service installed (having moved back home found that my former adsl service can't be implemented at home location). The installer put the wires in but was unable to do the registration because the service's main server is out of action. The service is through Australia's largest ISP (Telstra). Wife says it is also on the news that Telstra is impacted by this new virus.

Hope you get it sorted out ok Box, also if you can figure out how it got thru to you, pls also add detail.

Doug M
New my understanding is that it hits an unpatched port
via tcp and overflows a buffer. It then ftp's the actual virus to the local box and propagates.
thanx,
bill
attempting to explain profiling doesn't require one to take a position for or against it any more than attempting to explain gravity requires one to be for or against gravity. Walter Williams
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
New McAfees write up (SasserWorm)
[link|http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008|http://us.mcafee.com...on&virus_k=125008]

This is an extract ...

>>>
Indications of Infection

The virus copies itself to the Windows directory as avserve2.exe and creates a registry run key to load itself at startup

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\
CurrentVersion\\Run "avserve2.exe" = C:\\WINDOWS\\avserve2.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win2.log is created on the root of the C: drive. This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:\\WINDOWS\\system32\\11583_up.exe
c:\\WINDOWS\\system32\\16913_up.exe
c:\\WINDOWS\\system32\\29739_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs. The following Window may be displayed:
<<<

They have an infection remover

Doug

#2 Added manual removal data

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1 Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2 Delete the file AVSERVE2.EXE from your WINDOWS directory (typically c:\\windows or c:\\winnt)
3 Edit the registry
Delete the "avserve2" value from
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\
Windows\\CurrentVersion\\Run
4 Reboot the system into Default Mode
Expand Edited by dmarker May 2, 2004, 09:11:18 PM EDT
New Kill the registry entry first and then reboot
New problem is those files dont exist on my box or in registry
but I still get the reboots. Will take it into work and have IT re-farc it.
wierd,
thanx,
bill
attempting to explain profiling doesn't require one to take a position for or against it any more than attempting to explain gravity requires one to be for or against gravity. Walter Williams
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
New Get the patch
Installing the patch will keep the system from booting allowing you to update your other patches and anitvirus.

[link|http://www.microsoft.com/downloads/details.aspx?FamilyID=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en|Here]
-----------------------------------------
It is much harder to be a liberal than a conservative. Why?
Because it is easier to give someone the finger than it is to give them a helping hand.
Mike Royko
     got the lsass.exe bug (I think) - (boxley) - (7)
         Seems to be a common problem. - (Another Scott) - (6)
             Must be a lot of concerned users - server to busy ... - (dmarker) - (5)
                 my understanding is that it hits an unpatched port - (boxley) - (4)
                     McAfees write up (SasserWorm) - (dmarker) - (3)
                         Kill the registry entry first and then reboot -NT - (ChrisR)
                         problem is those files dont exist on my box or in registry - (boxley) - (1)
                             Get the patch - (Silverlock)

Carefully labored prose!
70 ms