Re: Sasser & Blaster problem
From: soups (anonymous_at_discussions.microsoft.com)
Date: 05/25/04
- Next message: Ted: "Free Security CD"
- Previous message: aq-wfecdj: "Re: Why doesn't Microsoft..."
- In reply to: PA Bear: "Re: Sasser & Blaster problem"
- Next in thread: PA Bear: "Re: Sasser & Blaster problem"
- Reply: PA Bear: "Re: Sasser & Blaster problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 May 2004 14:44:41 -0700
Thank you. I will definitely do the online scans.
One very last question, and I will be happily (thanks to
you)on my way. The RPC service: should the First failure,
Second failure, and Subsequent failures be "take no
action," or restart the computer?"
You have been very kind,
soups
>-----Original Message-----
>> Can I safely assume that this means that all is
>> well, or is there another way that I should check?
>
>Prolly but you can try running a couple of the the free
online scans listed
>at http://aumha.org/secure.php#freeav.
>
>Configure NAV to seek updates and run a full system scan
daily at a time
>when the machine is normally running and connected. If
necessary, do so
>manually or configure NAV to do so (in that order) at
boot.
>
>SysRestore should be re-enabled.
>
>Glad to be able to help.
>--
>~PA Bear
>
>
>soups wrote:
>> Thank you so much, PA Bear. I followed the instructions
to
>> the letter, and everything seems to have worked. I was
>> able to download/install/run every update/patch/tool
that
>> I needed. Blaster and Sasser were successfully removed
>> according to the tool messages. I also managed to
extract
>> Welchia, Randex and Bobax following instructions from
>> Symantec I think it was. What a mess: I would call what
I
>> had worse than an infestation.
>> XP Firewall is on, Norton AV is updated and running, and
>> all MS downloads in place. I do, however, have a few
more
>> questions if I may take more of your time.
>> I have run the AV, and it no longer finds any infected
>> files. Can I safely assume that this means that all is
>> well, or is there another way that I should check?
>> I take it that I should no enable System Restore again?
>> And return the RPC to the original settings (if I can
find
>> the note I made as to what they were)? Anything else I
>> should do?
>> Thank you again very very much,
>> soups
>>
>>> -----Original Message-----
>>> Instructions for patching and cleaning vulnerable
Windows 2000 and
>>> Windows XP systems:
>>>
>>> Vulnerable Windows 2000 and Windows XP machines may
have the LSASS.EXE
>>> process crash every time a malicious worm packet
targets the vulnerable
>>> machine which can occur very shortly after the machine
starts up and
>>> initializes the network stack.
>>>
>>> When cleaning a machine that is vulnerable to the
Sasser worm it is
>>> necessary to first prevent the LSASS.EXE process from
crashing, which in
>>> turn causes the machine to reboot after a 60 second
delay. This reboot
>>> cannot be aborted on Windows 2000 platforms using the
Shutdown.exe or
>>> psshutdown.exe utilities and can interfere with the
downloading and
>>> installation of the patch as well as removal of the
worm.
>>>
>>> 1. To prevent LSASS.EXE from shutting down the machine
during the
>>> cleaning process: a. Unplug the network cable from the
machine b. If you
>>> are running Windows XP you can enable the built-in
Internet Connection
>>> Firewall using the instructions found here: Windows XP
>>> http://support.microsoft.com/?id=283673 and then plug
the machine back
>>> into the network and go to step 2.
>>>
>>> c. If you are running Windows 2000, you won't have a
built-in firewall
>>> and must use the following work-around to prevent
LSASS.EXE from
>>> crashing. This workaround involves creating a read-
only file
>> named 'dcpromo.log' in the
>>> "%systemroot%\debug" directory. Creating this read-
only file will
>>> prevent the vulnerability used by this worm from
crashing the LSASS.EXE
>>> process. i. NOTE: %systemroot% is the variable that
contains the name
>>> of the Windows installation directory. For example if
Windows was
>>> installed to the "c:\winnt" directory the following
command will create
>>> a file called dcpromo.log in the c:\winnt\debug
directory. The
>>> following commands must be typed in a command prompt
(i.e. cmd.exe)
>>> exactly as they are written below.
>>>
>>> 1. To start a command shell, click Start and then
click run and type
>>> 'cmd.exe' and press enter.
>>>
>>> 2.Type the following command: echo dcpromo >%
systemroot%
>>> \debug\dcpromo.log
>>>
>>> For this workaround to work properly you MUST make the
file read-only by
>>> typing the following command:
>>>
>>> 3. attrib +R %systemroot%\debug\dcpromo.log
>>>
>>>
>>> 2. After enabling the Internet Connection Firewall or
creating the
>>> read-only dcpromo.log you can plug the network cable
back in and you
>>> must download and install the MS04-011 patch from the
MS04-011 download
>>> link for the affected machines operating system before
cleaning the
>>> system. If the system is cleaned before the patch is
installed it is
>>> possible that the system could get re-infected prior
to installing the
>>> patch. a. Here is the URL for the bulletin which
contains the links to
>>> the download location for each patch:
>>>
http://www.microsoft.com/technet/security/bulletin/ms04-
011.mspx b. If
>>> your machine is acting sluggish or your Internet
connection is slow you
>>> should use Task Manager to kill the following
processes and then try
>>> downloading the patch again (press the Ctrl + Alt +
Del keys
>>> simultaneously and select Task Manager):
>>>
>>> i. Kill any process ending with '_up.exe' (i.e.
12345_up.exe) ii. Kill
>>> any process starting with 'avserv' (i.e. avserve.exe,
avserve2.exe) iii.
>>> Kill any process starting with 'skynetave' (i.e.
>> skynetave.exe) iv. Kill hkey.exe
>>> v. Kill msiwin84.exe vi. Kill wmiprvsw.exe
>>>
>>>
>>> 1. Note there is a legitimate system process
>> called 'wmiprvse.exe' that does
>>> NOT need to be killed. c. allow the system to reboot
after the patch is
>>> installed.
>>>
>>>
>>> 3. Run the Sasser cleaner tool from the following URL:
a. For the on-line
>>> ActiveX control based version of the cleaner you can
run it directly from
>>> the following URL:
>> http://www.microsoft.com/security/incident/sasser.asp
>>>
>>> b. For the stand-alone download version of the cleaner
you can download
>>> it from the following URL:
>>>
>>> http://www.microsoft.com/downloads/details.aspx?
>> FamilyId=76C6DE7E-1B6B-4FC3-90D4-
>> 9FA42D14CC17&displaylang=en
>>>
>>> 4. Determine if the machine has been infected with a
variant of the
>>> Agobot worm which can also get on the machine using
the same method as
>>> the Sasser worm. a. To do this run a full antivirus
scan of your machine
>>> after ensuring your antivirus signatures are up to
date. b. If you do
>>> NOT have an antivirus product installed you can visit
HouseCall from
>>> TrendMicro to perform a free scan using the following
URL:
>> http://housecall.trendmicro.com/
>>>
>>> If you have any questions regarding the security
updates or its
>>> implementation after reading the above listed bulletin
you should contact
>>> Product Support Services in the United States at 1-866-
PCSafety
>>> (1-866-727-2338). International customers should
contact their local
>>> subsidiary.
>>> --
>>> HTH - Please Reply to This Thread
>>>
>>> ~Robear Dyer (PA Bear)
>>> MS MVP-Windows (IE/OE), AH-VSOP
>>>
>>> AumHa Forums
>>> http://forum.aumha.org
>>>
>>> Protect Your PC
>>> http://www.microsoft.com/security/protect
>>>
>>> Soups wrote:
>>>> Without going into how it happened (a very long
story),
>>>> Sasser and Blaster both are occupying my notebook (HP
>>>> ze4230/XP). In a nutshell, it's thanks to no firewall
>>>> protection and a shocking (about 8 months worth) lack
of
>>>> patches/updates from MS.
>>>> Right now, all downloads/installations of
patches/updates
>>>> from MS are blocked with the familiar NT message. I
have
>>>> tried instructions from Symantec, MS and countless
others
>>>> to stop the processes so that I can (maybe) download
>>>> updates and a removal tool, but I cannot find any of
these
>>>> processes in Task Mgr. These include processes
starting
>>>> with 4 or more numbers to msiwin84.exe, all from a
very
>>>> recent list from Symantec. I never found Msblast.exe
>>>> either. I have disabled System Restore. I have
altered the
>>>> RPC from first, second and subsequent failures to
restart
>>>> the service. In a nutshell, I have followed
everything,
>>>> but I cannot get rid of this mess.
>>>> Where else might I find Sasser/Blaster to stop the
>>>> processes?
>>>> Is it possible that I could do a System Recovery (not
>>>> restore--I can be dumb, but not that dumb!), add a
>>>> firewall and then go online to install what I need?
>>>> Thanks for the help.
>>>>
>>>> Soups
>>>
>>> .
>
>.
>
- Next message: Ted: "Free Security CD"
- Previous message: aq-wfecdj: "Re: Why doesn't Microsoft..."
- In reply to: PA Bear: "Re: Sasser & Blaster problem"
- Next in thread: PA Bear: "Re: Sasser & Blaster problem"
- Reply: PA Bear: "Re: Sasser & Blaster problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
