Tip: Click here to scan for System Errors and Optimize PC performance

May 2nd, 2004, 8:31 pm

regarding this worm w32/Sasser.A...
if i get infected with it.. beside using a proctection... can i get rid of it by reformating and reinstalling the system?

May 3rd, 2004, 12:13 am

i searched the net for lsass.exe error, and came to this forum, and saw this post of my exact problem, i followed everythign that was said to do, but it would seem it didnt do much for my computer, it still comes up with the error after about 20-40 mins and restarts, just to do it again after another amount of time. ive deleted the autostart file from the registry. and closed it from the task manager, ive ran the symantec removal tool. and it said i didnt have the virus. im downloading a AV. even though ive scaned my computer and thats how i got rid of what i first came apon wich was a file MSBLAST.exe. can somebody please help me out, i even did a system restore, so i have no programs on my computer. wich meens it hasnt the updates for windows. and i cant get them cause it takes longer than 20 mins to get them so i have a small problem there. thx for your time

May 3rd, 2004, 1:39 am

Hy,

Well actually MSBlaster does the same thing (in very simplified way) than Sasser, they both shutdown your PC.

Now honnestly, i suggest you try and grab all the windows patches through Updates...
Sasser can only be rmoved by the Norton Removal tool, but it can reinstall itself easaly due to a Flaw in the Lsass.exe that needs to be patched...so no matter how long you remove it, you will still grab sasser.

The same goes for MSBlaster...you can remove the processes but you wil get it back again due to a Flaw in the Dcom RPC that windows uses...
So if you are attacked with MSBlaster or Sasser, no matter how tough the AV you have, you will stil be infected...
Now the only solution i find, since you cannot update correctly, is to set your Firewall to the Highest possible security level...

[ATNO/TW]

May 3rd, 2004, 11:17 am

heeheee -- I knew when I read these posts over the weekend, I'd having to be fixing this on somebody's machine, sure enough, I'm sitting here with one of our executive's 80 year old mother's computer with sasser, welchia and blaster on it! *lol I'll let you know how it goes.

May 3rd, 2004, 5:13 pm

The Sasser is gone!
Thanks guys.
Big outbreak though. It's all over the news.

[ATNO/TW]

May 3rd, 2004, 6:01 pm

There are a couple key things in avoiding a reocurrance.
1) Make sure you have the patch installed. The patch was released April 13 in critical updates and you should install it if you haven't done so already. (You may need to run the worm removal tool first before downloading the patch if you hadn't done so prior)

http://www.microsoft.com/security/secur ... indows.asp

2) The patch should take care of things, but if you are on XP enable the Firewall, or get a firewall program like ZoneAlarm, or use Symantec's or McAfee's Firewall if available.

3) If you are on XP, make sure you disable the "restore" as described in the symantec security response article before running the removal tool.

http://securityresponse.symantec.com/av ... .tool.html

4) In the last 30 days, there have been over 100 viruses/trojans/worms identified. Here are some "best practices that Symantec recomends:

Quote:

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

//added note from what I've been reading today -- if you have a hardware firewall or your company uses a hardware firewall you should be at low risk on Sasser. BTW it apears two more variants appeared over the weekend.

http://www.symantec.com/avcenter/venc/d ... .worm.html
http://www.symantec.com/avcenter/venc/d ... ser.d.html

May 3rd, 2004, 6:06 pm

HI Guys. I need some help. I definitely have this sasser thing going on but the fix-it tool from microsoft doesn't work. I am not a computer genius in the least - i stumbled across this site trying to find a solution to this problem. If anyone has any tips for me it would be great.

Thanks!

[ATNO/TW]

May 3rd, 2004, 6:12 pm

tyalangan wrote:

HI Guys. I need some help. I definitely have this sasser thing going on but the fix-it tool from microsoft doesn't work. I am not a computer genius in the least - i stumbled across this site trying to find a solution to this problem. If anyone has any tips for me it would be great.

Thanks!

What OS? XP or Win2K? Read everything I just posted above you. I gave every detail I found today. The Firewall is particularly important (especially if you are on broadband), because if your ports remain open, the attacking computer may find you again easily and reinstall it.

P.S. Try the removal tool from symantec. It worked for the one computer I had that was infected:

http://securityresponse.symantec.com/av ... .tool.html

May 4th, 2004, 9:02 am

Zonealarm is a good free firewall (for personal use) and as long as your not trying to do anything complicated over the net the default install should be fine. Otherwise it may need some fiddling if you do VPN's or gaming etc to get it working properly.

A big agree on the Symantec removal tools. Use them all the time. They take forever to run, but work very well.

By the way, this site is number 4 on the list if you do a search in Google for 'Removing Sasser' so you may get a *few* hits to this thread

May 4th, 2004, 11:13 am

Hello, I have tried deleting the lsass.exe in the running processes window. I am denied access even though I am in administrator. I have also tried running the removal tool I downloaded from Norton. It comes back saying that there is no sasser on the computer. What am I missing? We have 2 computers with lsass.exe in the running processes both windows 2000
Thanks
Rick

[ATNO/TW]

May 4th, 2004, 12:00 pm

lsass.exe should be running on both computers aggie. That's not the worm. That's the Windows service that the worm tries to exploit. You should be OK.

May 4th, 2004, 1:21 pm

Aggie: lsass.exe is one of them spooky critical system processes. As ATNO/TW said, the worm infects a vulnerability in it. Welcome to Microsoft

To everyone else: thank you for replying. I came back here a few days after I started the thread, because I found it on my laptop (gar!) and it came back after I tried to remove it. Good thing I discovered all the info here.

I'm going to run the Symantec tool, download Windows patches and crank up the firewall. I'll let you know if anything else happens.

In the meantime, I've just had the Task Manager open so I can kill inetman.exe and cool.exe when they come up on the list of processes. Works so far.

*le sigh*

May 4th, 2004, 1:37 pm

................Maggie's bewildered!

I ran the Symantec tool, and...behold! I HAVE NO WORM. But five minutes before, NT AUTHORITY killed my computer after 60 seconds.

What the hell happened?

May 4th, 2004, 2:02 pm

Dont question your luck
As long as you applied the patch and didn't find the worm...its good

May 4th, 2004, 2:07 pm

But that's just it! I didn't do aaaaaaaaanything. Cursèd computers. Whatever.