McAfees write up (SasserWorm)

Post #153,431 by dmarker 5/2/04 8:59:20 PM 5/2/04 9:11:18 PM Reply	McAfees write up (SasserWorm) [link\|http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008\|http://us.mcafee.com...on&virus_k=125008] This is an extract ... >>> Indications of Infection The virus copies itself to the Windows directory as avserve2.exe and creates a registry run key to load itself at startup HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\ CurrentVersion\\Run "avserve2.exe" = C:\\WINDOWS\\avserve2.exe As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996. A file named win2.log is created on the root of the C: drive. This file contains the IP address of the localhost. Copies of the worm are created in the Windows System directory as #_up.exe. Examples c:\\WINDOWS\\system32\\11583_up.exe c:\\WINDOWS\\system32\\16913_up.exe c:\\WINDOWS\\system32\\29739_up.exe A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs. The following Window may be displayed: <<< They have an infection remover Doug #2 Added manual removal data Manual Removal Instructions To remove this virus "by hand", follow these steps: 1 Reboot the system into Safe Mode (hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode. 2 Delete the file AVSERVE2.EXE from your WINDOWS directory (typically c:\\windows or c:\\winnt) 3 Edit the registry Delete the "avserve2" value from HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\ Windows\\CurrentVersion\\Run 4 Reboot the system into Default Mode Edited by dmarker May 2, 2004, 09:11:18 PM EDT McAfees write up (SasserWorm) [link\|http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008\|http://us.mcafee.com...on&virus_k=125008] This is an extract ... >>> Indications of Infection The virus copies itself to the Windows directory as avserve2.exe and creates a registry run key to load itself at startup HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "avserve2.exe" = C:\WINDOWS\avserve2.exe As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996. A file named win2.log is created on the root of the C: drive. This file contains the IP address of the localhost. Copies of the worm are created in the Windows System directory as #_up.exe. Examples c:\WINDOWS\system32\11583_up.exe c:\WINDOWS\system32\16913_up.exe c:\WINDOWS\system32\29739_up.exe A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs. The following Window may be displayed: <<< They have an infection remover Doug Collapse All History
Post #153,433 by ChrisR 5/2/04 9:02:40 PM Reply	Kill the registry entry first and then reboot
Post #153,434 by boxley 5/2/04 9:04:19 PM Reply	problem is those files dont exist on my box or in registry but I still get the reboots. Will take it into work and have IT re-farc it. wierd, thanx, bill attempting to explain profiling doesn't require one to take a position for or against it any more than attempting to explain gravity requires one to be for or against gravity. Walter Williams questions, help? [link\|mailto:pappas@catholic.org\|email pappas at catholic.org]
Post #153,538 by Silverlock 5/3/04 4:10:08 PM Reply	Get the patch Installing the patch will keep the system from booting allowing you to update your other patches and anitvirus. [link\|http://www.microsoft.com/downloads/details.aspx?FamilyID=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en\|Here] ----------------------------------------- It is much harder to be a liberal than a conservative. Why? Because it is easier to give someone the finger than it is to give them a helping hand. Mike Royko

Welcome to IWETHEY!