RE: sasser worm/virus

• Previous message: Lil' Dave: "VirtuMonde"
• In reply to: anonymous_at_discussions.microsoft.com: "sasser worm/virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 17 May 2004 21:38:42 GMT

Hi,

Follow the instructions as given below..

If you are using Microsoft® Windows® XP or Windows XP Service Pack 1
(SP1) and your computer has been infected by the Sasser worm, you can
take these steps to update your software, remove the worm, and help
protect against future infections.
If your computer is infected with the Sasser worm, you may experience
one or more of the following symptoms:
· Your computer performance is decreased or your network
connection is slow.
· You may see a dialog box that contains text that refers to LSA
Shell.
· Your computer may restart every few minutes without user
input.
Step 1: Disconnect from the Internet
To avoid further problems, disconnect from the Internet:
Broadband connection users: Locate the cable that runs from your
external DSL or cable modem and unplug that cable either from the modem or
from the telephone jack.
Dial-up connection users: Locate the cable that runs from the modem
inside your computer to your telephone jack and unplug that cable either
from the telephone jack or from your computer.
Step 2: Stop the Shutdown Cycle
This worm may cause LSASS.EXE to stop responding, which forces the
operating system to shut down after 60 seconds. If your computer starts to
shut down, follow these steps to abort any system shutdown that may be
in progress.
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type: cmd and then click OK.
At the command prompt, type including spaces:
shutdown.exe -a
and then press ENTER.
Step 3: Mitigate the Vulnerability
You can temporarily remove the vulnerability that allows the worm to
infect your computer by creating a log file.
Create the log file
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type: cmd and then click OK.
At the command prompt, type including space:
echo dcpromo >%systemroot%\debug\dcpromo.log
and then press ENTER.
Make the log file read-only
At the command prompt, type, including spaces:
attrib +R %systemroot%\debug\dcpromo.log
and then press ENTER.
Step 4: Improve System Performance
If your computer is acting sluggish or if the Internet connection is
slow, the worm may be flooding your local network connection. This may
make it impossible for you to download and install the required software
update. To improve system performance:
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type taskmgr, then click OK
Select the Process tab
For each of the following tasks that may be listed, click the task to
select it, and then click the End Task button to end it.
Any task ending with _up.exe (for example, 12345_up.exe).
Any task starting with avserve (for example, avserve.exe).
Any task starting with avserve2 (for example, avserve2.exe).
Any task starting with skynetave (for example, skynetave.exe).
hkey.exe
msiwin84.exe
wmiprvsw.exe
***Note Do not end the wmiprvse.exe task; it is a legitimate system
task.
Step 5: Enable a Firewall
A firewall is a piece of software or hardware that creates a protective
barrier between your computer and the Internet. If your computer has
been infected, a firewall will help limit the effects of the worm.
Windows XP includes the Internet Connection Firewall (ICF). To turn on ICF:
On the taskbar at the bottom of your screen, click Start, and then
click Run.
Type ncpa.cpl, then click OK
Right-click the Dial-up, LAN, or High-Speed Internet connection that
you use to connect to the Internet, and then click Properties from the
shortcut menu.
On the Advanced tab, under Internet Connection Firewall, select Protect
my computer and network, and then click OK. The Windows XP firewall is
now enabled.
Step 6: Reconnect to the Internet
Plug the cable (referred to in Step 1) back into your computer,
telephone jack, or modem.
Step 7: Install the Required Update
To help protect your computer against this worm in the future, you must
download and install security update 835732, which was released with
Microsoft Security Bulletin MS04-011. To download security update 835732,
go to http://go.microsoft.com/?LinkID=526067
Step 8: Check For and Remove Sasser
After you have installed the 835732 (MS04-011) security update and
restarted your computer, the computer may continue to generate network
traffic and try to spread the worm infection to other vulnerable computers.
To check for and remove Sasser from your computer, go to the Web page
"What You Should Know About the Sasser Worm and Its Variants" at
http://www.microsoft.com/security/incident/sasser.asp. Use the Sasser
Worm Removal Tool to search your hard disk for and remove Sasser.A,
Sasser.B, Sasser.C, and Sasser.D.
About Internet Connection Firewall
The Windows XP Internet Connection Firewall can block useful tasks such
as sharing files or printers through a network, transferring files in
applications, or hosting multiplayer games. Nonetheless, Microsoft
recommends that you use a firewall to help protect your computer.
If you turn on the Internet Connection Firewall and find that you can't
perform some tasks you want to, read "How to Open Ports in the Windows
XP Internet Connection Firewall" at
http://www.microsoft.com/security/protect/ports.asp.
If you have more than one computer, want more technical information, or
want to learn more about firewalls, read "Frequently Asked Questions
About Firewalls" at
http://www.microsoft.com/security/protect/firewall.asp.

If you still have problem resolving the issue you have please contact
Microsoft at 1-866-PCSafety (1-866-727-2338).

I am happy to help you. Do let me know your progress on this issue

Harish.G

This posting is provided "AS IS" with no warranties, and confers no rights.

• Previous message: Lil' Dave: "VirtuMonde"
• In reply to: anonymous_at_discussions.microsoft.com: "sasser worm/virus"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]