IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Security Forum / McAfees write up (SasserWorm)
Post #153,431
by dmarker
Picture of dmarker
5/2/04 8:59:20 PM
5/2/04 9:11:18 PM
Reply
New McAfees write up (SasserWorm)
[link|http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008|http://us.mcafee.com...on&virus_k=125008]

This is an extract ...

>>>
Indications of Infection

The virus copies itself to the Windows directory as avserve2.exe and creates a registry run key to load itself at startup

HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\
CurrentVersion\\Run "avserve2.exe" = C:\\WINDOWS\\avserve2.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win2.log is created on the root of the C: drive. This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:\\WINDOWS\\system32\\11583_up.exe
c:\\WINDOWS\\system32\\16913_up.exe
c:\\WINDOWS\\system32\\29739_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs. The following Window may be displayed:
<<<

They have an infection remover

Doug

#2 Added manual removal data

Manual Removal Instructions
To remove this virus "by hand", follow these steps:

1 Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.
2 Delete the file AVSERVE2.EXE from your WINDOWS directory (typically c:\\windows or c:\\winnt)
3 Edit the registry
Delete the "avserve2" value from
HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\
Windows\\CurrentVersion\\Run
4 Reboot the system into Default Mode
Expand Edited by dmarker May 2, 2004, 09:11:18 PM EDT
Expand All History
Post #153,433
by ChrisR
5/2/04 9:02:40 PM
Reply
New Kill the registry entry first and then reboot
Post #153,434
by boxley
5/2/04 9:04:19 PM
Reply
New problem is those files dont exist on my box or in registry
but I still get the reboots. Will take it into work and have IT re-farc it.
wierd,
thanx,
bill
attempting to explain profiling doesn't require one to take a position for or against it any more than attempting to explain gravity requires one to be for or against gravity. Walter Williams
questions, help? [link|mailto:pappas@catholic.org|email pappas at catholic.org]
Post #153,538
by Silverlock
5/3/04 4:10:08 PM
Reply
New Get the patch
Installing the patch will keep the system from booting allowing you to update your other patches and anitvirus.

[link|http://www.microsoft.com/downloads/details.aspx?FamilyID=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en|Here]
-----------------------------------------
It is much harder to be a liberal than a conservative. Why?
Because it is easier to give someone the finger than it is to give them a helping hand.
Mike Royko
     got the lsass.exe bug (I think) - (boxley) - (7) - May 2, 2004, 08:12:13 PM EDT
         Seems to be a common problem. - (Another Scott) - (6) - May 2, 2004, 08:28:38 PM EDT
             Must be a lot of concerned users - server to busy ... - (dmarker) - (5) - May 2, 2004, 08:37:17 PM EDT
                 my understanding is that it hits an unpatched port - (boxley) - (4) - May 2, 2004, 08:52:25 PM EDT
                     McAfees write up (SasserWorm) - (dmarker) - (3) - May 2, 2004, 09:11:18 PM EDT
                         Kill the registry entry first and then reboot -NT - (ChrisR) - May 2, 2004, 09:02:40 PM EDT
                         problem is those files dont exist on my box or in registry - (boxley) - (1) - May 2, 2004, 09:04:19 PM EDT
                             Get the patch - (Silverlock) - May 3, 2004, 04:10:08 PM EDT

What. He. Said.
38 ms