News Sasser worm 'spreading rapidly'

This from the Beeb:

A new internet virus spreading rapidly around the world may already have infected millions of computers.

Sasser, unlike a virus which travels through e-mails and attachments, spreads directly from the internet.

It attacks recent versions of Microsoft's Windows causing the computer to shut down.

The worm exploits a security flaw, but this can be prevented with a Microsoft patch.

It typically shuts down the computer then automatically re-boots it and repeats this process several times, but is not thought to cause lasting damage.

More here

Ah, another day, another worm.

 

Sounds like blaster all over again. I think one of my friends got it, before there was any AV for it. Lucky I'm behind a NAT

 

ditto

 

yeh, sounds exactly like blaster. can't fault the maker for being original i guess ;-)

 

when will people learn NOT TO OPEN DAMN EMAIL ATTACHMENTS!

 

i read it doesnt spread via email/attachments, it spreads by attacking a randomly selected ip address.

 

any chance this will cause an error in lsass and then tell me the computers gonna shutdown in 1 mintue and countdown, as since yesterday I have that
and assumed it was just summat to do with my new pet the wininit32.exe worm, not 2 viruses in a week
arrrrrgggggghhh

*ahem*

- M@

::edit::
oh and yeah, i have had no email attachments, im not that stupid, so it has 2 be the random ip thingy
grr

 

Removed it from a friends computer last night. Hooks into LSASS.EXE. It's the service that controls windows logins. Once it gets in, the worm simply runs Shutdown.exe with system permissions (ie:no cancel) with a one minute timer. Makes thinks interesting, took me about three times to finally get it. Not very distructive, only creates a server on your computer, probably a DDOS worm. Easy to remove.

Pawn_King110: Start in safe mode, run your virus scanner. I was able to remove it with a Trend Micro online scan. It will leave junk though, so if you have Norton or another, use it. it leave non-repairable files in your "C:\windows\system32\" folder. Just quarentine them and then delete them. Good Luck.

 

Ive got somthin called lsass.exe | SYSTEM | OO | 1,312

But i have had no probs with computer trying to shut down etc....

PyRo

 

LSASS.EXE is a critical windows service. It's not the problem. The worm just causes a problem in it.

 

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html

you can doewnload the removal tool from there.

 

removal tools take a long time.

boot to safe mode
delete avserve.exe or avserve2.exe, and *_up.exe, then go into your regitry, and do find for avserve or avserve2, depending on which variant you have. i have a feeling luxafyj is a third variant, would like confirmation on that tho.
after the reg keys are gone, go and turn on windows firewall on your net connection or another firewall program, or a router with builtin firewall.
reboot to normal mode
run windows update
done

i've only done the fix once. everyone else in the office has done it about 20 times now, people keep keep keep calling about it, it'sj ust easy enough that they dont need to call me.

 

whats a NAT?

 

Network Address Translation - basically a device that makes a network of computers appear as just one to the rest of the internet.

If you're firewalled (or non windows ) you'll escape this Sasser thingy.

 

when will people learn TO READ ABOUT THE VIRUS!

 

Cheers Manitowic999 Unfortunatly im a lazy **** so got the removal tool instead, but thanks for that anyways!!
Woot, no random shut downs

- M@

 

hehe, I got that virus two nights ago. Had it off within the half hour of not even knowing what it was. I got the shutdown message about 5 mins after going online with dialup. So, I went into safe mode, and then ran msconfig. Found avserve2.exe and thought hmmm... nothing to do with avg, and I haven't seen it there before. unchecked it. Rebooted into normal mode. ran a virus scan. found and deleted. then went directry to windows update after enabling the winxp firewall. no probs since.
Although, I have had like 5 people call me at work about this shutdown thing and what not. Got like 4+ computers comming in today/tomorrow already. I guess this means I have to work for my hard earned money

 

ok
so i had the process adserve.exe running, which i deleted a couple of nights bk on my weekly wtf is running in processes clean..
now it still shuts my machine down, but theres no registry key where there should be :S
and my machine keeps running down, so either i have summat else, or theres sommat screwed on my computer in the lsass thing, but thats what the virus attacks, and i did have the .exe on the computer....crap...

erm, help??

pwease?
- M@

 

OK. do you have a virus scanner? If so, is it up to date?
Also, if you are on the net, you will most likely get the virus. If you go to windows update, you can download a patch for the virus I beleive.
run a full virus scan.
Or, if you want, you can go into safe mode, and use the McAfee Stinger tool to remove it.
http://vil.nai.com/vil/stinger/
^^^ linky for stinger.

Also, if you want a good free virus scanner, goto www.grisoft.com and click on the AVG free edition link, and enter the info there.
I think that is it, anything else I forget?

 

ok, well did all that found nothing
then 10 mins later, lsass got its 'problem' and shutdown
just like the virus does, so its here somewhere, or a diff varient???
but this is taking the piss now
grrrrr

- m@