RE: sasser
From: TJ Campana [MSFT] (tcampana_at_online.microsoft.com)
Date: 05/03/04
- Next message: Noah Centenero: "Re: XP Firewall Enough?"
- Previous message: Brian: "Re: got_sasser"
- In reply to: tom: "sasser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 03 May 2004 18:17:27 GMT
>sasser has disabled me from starting windows and will not let me access the hard drive. Is there any cure that can be executed from a dos prompt?
>
Unplug this system from the network. Try to boot it now and see where we are. It sounds like the worm is hitting you right off teh bat when the system
boots! Then you can follow the steps below to get yourself in a state that will allow you to connect to Microsoft to download the patches and the cleaner
tool.
If you are running XP you can use the Internet Connection Firewall to protect your system while you access the Microsoft Site. For more information on
this you can go to the help file on the XP System. To prevent the system from rebooting you will have to unplug it from the network while you enable the
firewall. Once the firewall is up you should be good to go!
If you are running Windows 2000 then you will first have to unplug the system from the network to prevent the system reboots. Next create a read only
copy of the following file dcpromo.log in the >%systemroot%\debug directory. You can do this with the following two commands at the DOS prompt:
echo dcpromo >%systemroot%\debug\dcpromo.log
&
attrib +R %systemroot%\debug\dcpromo.log
This will stop the system from rebooting long enough for you to download the MS04-011 patch and the cleaner tool. Please patch then clean!
Cleaner Tool Location:
http://www.microsoft.com/security/incident/sasser.asp
Patch location:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Creating the dcpromo.log file should prevent the rebooting of the system in either case, but you will only be protected if you patch the system and then
clean it using the latest cleaner from our site. The current cleaner cleans variants A and B with an updates cleaner expected out later today to deal with C
& D variants.
T.J. Campana [MSFT]
Microsoft EPS Networking
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.
- Next message: Noah Centenero: "Re: XP Firewall Enough?"
- Previous message: Brian: "Re: got_sasser"
- In reply to: tom: "sasser"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
