RE: sasser worm

From: TJ Campana [MSFT] (tcampana_at_online.microsoft.com)
Date: 05/03/04

Next message: Robert Moir: "Re: Buy a PC at Best Buy today and plug it in - how long till I get a virus?"
Previous message: Phyllis: "PSW.Agent.G Trojan"
In reply to: Brent W: "sasser worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 03 May 2004 19:41:08 GMT

>After installing the windows updates and rebooting, my computer continues to
>exhibit the lsass.exe errors tied to sasser. The removal tools for sasser
>from symantec and mcafee have not detected sasser at all. Are there any
>other problems that could cause the aforementioned lsass.exe errors?
>
>
>
Patching the system is step 1. Now to clean the system. You can use the cleaner tools at the following Microsoft site to accomplish the clean of the worm.

http://www.microsoft.com/security/incident/sasser.asp

This tool is to be updates ASAP to deal with all varients of the sasser worms (A-D) sometime today. If the system(s) in question are patched then you can
scan with this tool. if this tools does not come up with naything than you can implement the workaround until the scan tools can be updated. To work around
this issue follow the instructions below:

Create a read only copy of the following file "dcpromo.log" in the >%systemroot%\debug directory. You can do this with the following two commands at the
DOS prompt:

echo dcpromo >%systemroot%\debug\dcpromo.log

attrib +R %systemroot%\debug\dcpromo.log

This will stop the system from rebooting long enough for you to download the MS04-011 patch and the cleaner tool. Please patch then clean!

T.J. Campana [MSFT]
Microsoft EPS Security

-- 
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at 
http://www.microsoft.com/info/cpyright.htm 
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated.

Next message: Robert Moir: "Re: Buy a PC at Best Buy today and plug it in - how long till I get a virus?"
Previous message: Phyllis: "PSW.Agent.G Trojan"
In reply to: Brent W: "sasser worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: unable to connect via ip
... What tool or method did you use to clean the system? ... you tried the STINGER tool from McAfee? ... Sasser, Blaster and the others. ... the infection. ...
(microsoft.public.windowsupdate)
Re: do i have sasser?
... I do not think it is sasser... ... take an evening to do some check-ups, clean your system, ... update antivirus & sypwarescanners... ...
(microsoft.public.security.virus)
Re: WMIPROV.LOG
... I've checked for Sasser now ... and it appears my PC is clean. ... >> I'm seeing the following entries in WMIPROV.log. ... >> Registered for Mof Events ...
(microsoft.public.windowsxp.wmi)
Page cannot be displayed
... How did you clean the system?? ... Have you tried to access through an ftp address? ... >Help, I was infected with Sasser, I cleaned the system ... into the Symantec web site. ...
(microsoft.public.windows.inetexplorer.ie6.browser)
Re: Windows XP Reboots Contineously
... This is typical after a motherboard replacement...which the OP just ... Also wrong symptoms for Sasser. ... > This threat can cause Windows to keep shutting down and restarting. ... > This can prevent you from installing the Microsoft patch. ...
(microsoft.public.windowsxp.help_and_support)