 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Medical Forum / Diseases and Disorders / Prostate Cancer / May 2004OT Sasser Worm Virus
Maybe Heather or one of the other computer literate folk will offer some advice on how to protect the home computer from this new virus? I have dial up, do I still need to buy firewall software? Thank you. David S. Hi David......and anyone else that is interested....... First and foremost, this Worm (not virus) comes in through *open ports* on your computer.......not as an email attachment. So in essence, you would have no idea you have been hit.......IF you don't have a firewall stealthing your ports. I use Zone Alarm Pro. But the free Zone Alarm is just as good. This worm hits ONLY Windows XP and Win2000.....not 98 or WinME.....so I guess I know why I like my WinME, grin. It is bad because it is spreading like wildfire, according to my antivirus groups and the newspapers. The prevention is simple. Download the appropriate Microsoft patch, AFTER making sure you are not infected. I checked the McAfee site (see below) and you can download the Stinger Tool first....then add the patch. I am copying over what my Rogers ISP sent me yesterday, but on reading it over, go to the bottom (Item F) and click on the link to the McAfee link and follow instructions there. 1. Make sure you are not already infected......I don't think the firewall that comes with XP is as good as commercial firewalls. 2. Download the MS patch.....and I will warn you that it has been causing problems with Windows 2000, or so I hear. That I will check into, but I was looking up some information for another antivirus person last night coz the fix mucked up the customer's computer (Win2000). We can't seem to find the 'hotfix' to fix the patch, grin. Hope this is clear......if not, let me know. If you have Zone Alarm running (or Kerio, etc), I think you are pretty safe. If not, please check your computer out and run the Stinger tool. It nails a lot of viruses!! Cheers.....Heather SASSER VIRUS INFORMATION (NETSKY VIRUS INFORMATION IS BELOW) A. SASSER KEY MESSAGE: All customers using Windows 2000 or Windows XP should immediately run Windows Update at http://windowsupdate.microsoft.com B. SASSER VIRUS OVERVIEW: This virus is spreading rapidly across the Internet. Unlike viruses sent via Email attachments, this 'worm' virus can infect computers by taking advantage of a security vulnerability in Windows 2000 and Windows XP. It can be spread from computer to computer with no user intervention. C. SASSER - SYMPTOMS OF INFECTION: If your computer has been infected, the SASSER virus will cause your computer to frequently restart. While your computer is rebooting, you may also see pop-up systems messages regarding "NT Authority\System" or "LSA Shell". Your computer will attempt to infect other computers without your knowledge. D. SASSER - HOW TO KEEP YOUR COMPUTER FROM BEING INFECTED 1. Run Windows Update: All customers using Windows 2000 and Windows XP users should run Windows Update at http://windowsupdate.microsoft.com and follow the on-screen instructions to patch their systems and avoid infection. 2. Update your virus protection software: If you already have virus protection software installed on your computer, you should update it immediately. If you do not have virus protection software installed on your computer, Rogers, in conjunction with McAfee, is offering an Internet Security Solution which includes virus protection. You can get more information from: http://www.rogers.com/mcafee E. SASSER - HOW TO REMOVE IT IF YOU THINK YOUR COMPUTER HAS BEEN INFECTED 1. Download and run McAfee's Free Virus Removal Tool - Stinger If you believe that your computer has been infected, McAfee has released a stand-alone virus removal tool which can detect and can remove this virus. Their free 'Stinger' virus removal tool can be downloaded from their Website: http://vil.nai.com/vil/stinger/ NOTE: Stinger can only remove the virus, it does not protect your computer from future infection by this virus or any other virus. For more details on Virus Protection offered by Rogers and McAfee please visit http://www.rogers.com/mcafee 2. Run Windows Update: After removing the virus, you should install the Microsoft update to be protected from the SASSER virus: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx F. SASSER - ADDITIONAL DETAILS To get additional details on the SASSER Virus, please visit: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=125008 > Maybe Heather or one of the other computer literate folk will > offer some advice on how to protect the home computer from this new [quoted text clipped - 4 lines] > Thank you. > David S. http://www.microsoft.com/security/incident/sasser.asp Just reading all the reports on the antivirus group.....this is the Microsoft information on the worm and there is a virus checker on that page for XP or 2000 users.....follow the instructions. Plus the link for the patch. Saw a post that said the XP firewall may not be able to stop this.....haven't checked out the Win2000 problem yet. But if your computer keeps crashing, you probably have Sasser. Heather > Hi David......and anyone else that is interested....... > [quoted text clipped - 96 lines] > > Thank you. > > David S. hi david - they had a segment on the news about the sasser worm virus and said that you could go to the microsoft website and download the protection needed. hope this helps. ~ curtis knowledge is power - growing old is mandatory - growing wise is optional "Many more men die with prostate cancer than of it. Growing old is invariably fatal. Prostate cancer is only sometimes so." However, as I pointed out......make sure you are not infected with the worm first....then download the patch. No point in doing it the other way around, grin. If Dave is using a firewall, then he very likely isn't. But this is very sneaky and fast. XX Heather > hi david - they had a segment on the news about the sasser worm virus > and said that you could go to the microsoft website and download the [quoted text clipped - 7 lines] > "Many more men die with prostate cancer than of it. Growing old is > invariably fatal. Prostate cancer is only sometimes so." > Maybe Heather or one of the other computer literate folk will > offer some advice on how to protect the home computer from this new [quoted text clipped - 4 lines] > Thank you. > David S. If you're running WinXP, just update it via the MS patch. They are pretty much 1-7 days behind all the latest worms. Nortons website also offers free scanning. -- JK Sinrod Sinrod Studios www.sinrodstudios.com Coney Island Memories www.sinrodstudios.com/coneymemories > Maybe Heather or one of the other computer literate folk will > offer some advice on how to protect the home computer from this new > virus? > > I have dial up, do I still need to buy firewall software? Yes indeed you do need firewall software! I agree wholeheartedly with Heather that you should get (at least) the free Zone Alarm firewall, available from: http://www.zonelabs.com When I first installed Zone Alarm some years ago I set it to tell me every time some attempt occurred to contact my computer from outside. I was astounded to find that it was happening to me on average about 3-4 times per day, and I sometimes got as many as 100 in a day. In addition to blocking all those attempts and making your computer invisible, Zone Alarm will also block any attempt by any program on your computer to contact the outside world. Each time it happens you have to tell Zone Alarm whether you trust that program and whether you want to always, now, or never trust it. Again I was astounded to find spyware on my system that was talking to the outside world without my permission. The worst offender was a program called "bookmark express", or something like that, that was silently sending copies of all of my web browser bookmarks to a company. The spyware came along with software drivers on a CD that came with a scanner I bought from Staples. Now I know why the scanner was so cheap. There was nothing at all in the printed or online documentation that told me that that program would be installed. Now I have both a hardware and a software firewall, and a free virus scanner (http://www.grisoft.com) and I confess that I still sometimes get nervous. Alan > Maybe Heather or one of the other computer literate folk will > offer some advice on how to protect the home computer from this new [quoted text clipped - 4 lines] > Thank you. > David S. ButtercupsDad, This worm/virus affects Windows XP and Windows 2000. If you are running either of these, you should at least do a Windows Update to get the latest security patches. And you can go here: > http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx to read about and download this patch for your system. I did get the virus at work via the internet/system e-mail. And this patch took care of it. You may see a NT/Authority window saying a problem has happened with lsass.exe and will be shutting it down in 45 seconds. And then it does shut down you system to reboot. You can do a google search on LSASS and VIRUS to read more. Software firewalls are a good start. McAfee and Norton both offer pretty good ones. Software firewalls are beatable if a hacker is determined to breakthrough your system. But a firewall usually stops most of these attacks because it is really not worth the time to pursue the invasion. A hardware firewall is much better. Hardware firewalls are usually put in place via a router or internet access point. But you will probably need to be on DSL or Cable to use this item. Hope this helps some.... Philski ... > ... Software firewalls are beatable if a hacker is determined to > breakthrough your system. But a firewall usually stops most of these > attacks because it is really not worth the time to pursue the invasion. ... Most attacks consist of sending a message to a "port" on your computer. A "port" is just an identifying number for a service that will respond when a message is sent to that port. For example, there is a port for receiving mail, a port for receiving web server requests, a port for identifying your computer on a network, and so on. The software firewalls will keep track of all messages you send out and all messages coming in. If the message coming in is not a response to something you sent out, it will just throw it away. The hacker gets no indication that your computer even exists. In effect, it not only shields you from the outside, it also hides you. The hacker is blasting out messages to millions of random "Internet Protocol" addresses hoping to find a computer that responds on one of them. Most of those addresses don't actually even correspond to a computer. The hacker (really, his hacking software), will normally assume there is no computer at your address and move on to try to break into the computers that do respond. The bottom line here is that you're probably right. Highly determined and super-intelligent hackers, given enough time, might find a way to get through any firewall, hard or soft. But the chance of their pursuing addresses that never responded at all is vanishingly slim. I have a hardware firewall because I bought a router for my home network and it had a firewall built in. But I think the software firewalls are also very good. And of course, when you think about it, a hardware firewall is really a software firewall running on a computer between you and the Internet. Alan Thanks to all who responded. Looks like I have some work ahead of me this weekend. Looks like a firewall is a must. I will run the check to see if I already am infected, and get the Microsoft security patch. I am on dial up, so the hardware firewall looks like something I cannot get, but I will still investigate that further. Thank you again. David S. > Maybe Heather or one of the other computer literate folk will >offer some advice on how to protect the home computer from this new [quoted text clipped - 4 lines] > Thank you. >David S. > Thanks to all who responded. Looks like I have some work ahead of > me this weekend. Looks like a firewall is a must. I will run the [quoted text clipped - 13 lines] >> Thank you. >>David S. Here is more good info for you: > Sasser.a and Sasser.b prevention and cure > By Robert Vamosi [quoted text clipped - 40 lines] > > Read the latest News.com coverage here. Good Luck! Philski Try a search for stinger.exe (sorry -- can't remember where I got mine). This is free and searches for a lot of current nasties. My recent update checks for 41 worms, etc. Doesn't remove them, but lets you know if you have problems.  SignatureRay Walsh Jeelan Enterprises PO Box 900 Armadale WA 6992 Australia http://www.jeelan.com.au jeelan@jeelan.com.au ABN: 12 892 867 982 > > Thanks to all who responded. Looks like I have some work ahead of > > me this weekend. Looks like a firewall is a must. I will run the [quoted text clipped - 24 lines] > > > > Sasser and its variations are network-aware worms that do not require e-mail or user interaction to spread. The worms use a bootstrap effect by infecting new machines first, then downloading the full code from a previously infected machine. Sasser (w32.sasser.a) and Sasser.b (w32.sasser.b) are both 15,872 bytes long, and they randomly scan local networks and the Internet to look for additional systems to infect. This scanning could slow normal traffic on the Internet. Vulnerable systems include Windows 2000 and Windows XP that have not had the Microsoft Security Bulletin patch MS04-011 installed and that are not running desktop firewall software. Sasser does not affect any other version of Windows, nor Linux, Unix, Mac OS, or any other operating system. Because Sasser and its variations spread via the Internet and allow remote users to access your PC, this worm rates a 7 on the CNET/ZDNet Virus Meter. > > How it works > > Sasser takes advantage of a buffer-overrun flaw in the Local Security Authority Subsystem (LSASS), which allows an attacker to gain control of infected systems. Microsoft patched the flaw with MS04-011 on April 13. > > Sasser adds a copy of itself to the Windows directory under the name: > > [quoted text clipped - 5 lines] > > > > Sasser.a: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve.exe = c:\Windows\avserve.exe > > Sasser.b: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run avserve2.exe = c:\Windows\avserve2.exe > > This change to the Registry allows the worm to run once the machine reboots. > > > > Sasser starts an FTP server on TCP port 5554. Meanwhile, it uses TCP port 445 to search random chunks of the Internet for additional Windows 2000 and Windows XP that have not patched the LSASS flaw. Sasser launches 128 threads to scan the random IP addresses and listens on successive ports starting with TCP port 1068. Microsoft reports that the worms also use TCP port 139 as well. Ports 139 and 445 are both used by the Windows file-sharing protocol. > > If the Sasser worm finds a vulnerable machine on a local network or the Internet, the worm sends a specially crafted packet to cause a buffer-overflow in lsass.exe. The overflow contains instructions in a script file, cmd.ftp, on the newly infected machine to open TCP port 9996 and instructions to download a copy of itself from TCP port 5554 on the previously infected machine as > > [some random number]_up.exe. > > > > The file cmd.ftp is then erased. Sasser.a creates a win.log in the root directory of the newly infected machine that contains the number of remote systems currently infected and the IP address of the last infected system. Sasser.b creates a file called win2.log. > > Prevention > > Microsoft has created a special page on how to prevent a Sasser infection. Basically, a desktop firewall should protect vulnerable systems until the Microsoft security patch can be downloaded. If you do not have a personal firewall, you should install one first to limit the effects of the Sasser worm. The Microsoft security patch MS04-011 is available here. > > Removal > > Most antivirus-software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. However, simply removing the Sasser worm infection is not enough; an infected system will remain vulnerable to attack until the LSASS vulnerability itself has been patched. > > For more information on Sasser.a, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro. > > [quoted text clipped - 5 lines] > > Philski Hi Ray.....it is on the McAfee website....I keep an up to date one unopened on my hard drive. http://vil.nai.com/vil/stinger/ Cheers.....Heather > Try a search for stinger.exe (sorry -- can't remember where I got mine). > This is free and searches for a lot of current nasties. My recent update [quoted text clipped - 118 lines] > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.677 / Virus Database: 439 - Release Date: 4/05/2004 Worm infected thousands of computers worldwide The Associated Press BERLIN - German authorities have arrested an 18-year-old man suspected of creating the "Sasser" computer worm, which infected thousands of computers worldwide, an official said Saturday. The suspect, a high school student, was arrested Friday, said Frank Federau, a spokesman for the state criminal office in Hanover. Police and prosecutors on Friday searched his parents' house in the northern town of Waffensen, Federau said. He did not release the man's identity, and said he did not immediately have details of how the suspect was tracked down. Prosecutors handling the case could not immediately be reached for comment Saturday. German newsweekly Der Spiegel reported, without citing sources, that the CIA and FBI also were involved in the hunt for the worm's creator, whom it identified as Sven J. The worm raced around the world over the past week, exploiting a flaw in Microsoft Corp.'s Windows operating system. Unlike most outbreaks, Sasser does not require users to activate it by clicking on an e-mail attachment. Sasser is known as a network worm because it can automatically scan the Internet for computers with the security flaw and send a copy of itself there. On Monday, the worm hit public hospitals in Hong Kong and one-third of Taiwan's post office branches. Twenty British Airways flights were each delayed about 10 minutes Tuesday due to Sasser troubles at check-in desks, while British coast guard stations used pen and paper for charts normally generated by computer. Home users were particularly hit hard, computer security experts say, because they generally lack the know-how to install patches and tend not to have the firewalls needed to keep Sasser from spreading to other computers via the Internet. © 2004 The Associated Press. All rights reserved. knowledge is power - growing old is mandatory - growing wise is optional "Many more men die with prostate cancer than of it. Growing old is invariably fatal. Prostate cancer is only sometimes so." Hi Curtis..... Yes....one of our female antivirus people who lives in Germany gave the following report......apparently the 'little darling' who wrote it is only 17, so no name....and the links are in German, so couldn't read them. But Gabriele is keeping us up to date on what's happening. They have found that there is a link to NetSky too with this Sasser guy and his group of misfits. And the US was of great assistance in tracking down this luser!! I think he should have to work on the tech support desk for a major antivirus company for two years.....and live in jail for longer. Fitting punishment if he has to help people get rid of his 'creations'. (G) Heather They overdid it. Finally, today, Saturday May 5th, the programmers of two worm series have been arrested. The first one, a seventeen year old school attendant residing in Wuemme, Lower Saxonia, has already confessed that he programmed the sasser worm. After doing this, he was released to live at his home again. http://www.heise.de/newsticker/meldung/47205 (German) One more has been arrested in Loerrach, Baden-Wuerttemberg. The head of a complete gang seems to be a jobless man of 21 years. He is accused to have programmed the agobots and the phatbot worm, and to have exploited the known Windows XP vulnerabilities to spread the worm/trojan. The man seems to have cooperated with more coders, the houses of which have been searched in Lower Saxonia, Hamburg and Bavaria. The main head is accused to have broken into various companies, especially in the US and Britain, already in 2003, and caused major financial losses due to extended downtimes which lasted up to several days. He is said to have been hacking German companies, too. After getting judged, he will be facing lawsuits, demanding millions of dollars for damage compensation. The German authorities came to know of these hackers by the help of US officials who provided the necessary information for identifying them. http://www.heise.de/newsticker/meldung/47209 (German) Gabriele Neukam Worm infected thousands of computers worldwide The Associated Press BERLIN - German authorities have arrested an 18-year-old man suspected of creating the "Sasser" computer worm, which infected thousands of computers worldwide, an official said Saturday. Read Carefully. This is a dangerous one! It seems that there is a virus out there called the C-nile Virus that even the most advanced Antivirus programs cannot take care of, so be warned. It appears to affect those of us who were born before 1965! Symptoms of C-nile Virus: 1. Causes you to send same e-mail twice. 2. Causes you to send blank e-mail. 3. Causes you to send to wrong person. 4. Causes you to send back to person who sent it to you. 5. Causes you to forget to attach the attachment. 6. Causes you to wonder who all the people in your address book are. 7. Causes you to hit "SEND" before you've finished the ~ curtis knowledge is power - growing old is mandatory - growing wise is optional "Many more men die with prostate cancer than of it. Growing old is invariably fatal. Prostate cancer is only sometimes so." |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.