How to Remove Sasser worm virus

What is the Sasser worm?
The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.

The patch from Microsoft known as the MS04-011 Security Update fixes the following vulnerabilities:

  • LSASS Vulnerability
  • LDAP Vulnerability
  • PCT Vulnerability
  • Winlogon Vulnerability
  • Metafile Vulnerability
  • Help and Support Center Vulnerability
  • Utility Manager Vulnerability
  • Windows Management Vulnerability
  • Local Descriptor Table Vulnerability
  • H.323 Vulnerability
  • Virtual DOS Machine Vulnerability
  • Negotiate SSP Vulnerability
  • SSL Vulnerability
  • ASN.1 “Double-Free” Vulnerability

Download the Windows patches for this vulnerability by clicking on the links below:

Windows XP and Windows XP Service Pack 1

Windows 2000 Service Packs 2, 3, and 4

Visit the following site for patches for Windows NT, Windows XP 64-bit Edition, Windows Server 2003

What are the Symptoms of the Sasser worm?

You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will state that the system process lsass.exe terminated unexpectedly.

sasser2.gif (5475 bytes)

The message may be prefaced by another message:

sasser1.gif (9075 bytes)

You can disable this shutdown by following the steps below during the countdown

  1. Click on Start, Run
  2. Type in CMD and press ENTER
  3. Type in the following command and press Enter

    SHUTDOWN -A

This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does Sasser Infect My Computer?

When W32.Sasser.Worm runs, it does the following:

1) Attempts to create a mutex named Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.

2) Copies itself as to the %Windir% directory. This is usually the C:\WINDOWS or C:\WINNT directory.

3) Adds the value:

"avserve.exe"="%Windir%\avserve.exe"

"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"

to the following registry key, so that the worm runs on Windows startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4) Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

5) Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

6) Iterates through all the host IP addresses, looking for addresses without any of the following:

  • 127.0.0.1
  • 10.x.x.x
  • 172.16.x.x - 172.31.x.x (inclusive)
  • 192.168.x.x
  • 169.254.x.x

7) Using one of these IP addresses, the worm then generates a random IP address.

52% of the time, the IP address is completely random.
23% of the time, the last three octets are changed to random numbers.
25% of the time, the last two octets are changed to random numbers.

Because the worm can create completely random addresses, any IP range can be infected.
This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.

8) Connects to the randomly generated IP address on TCP port 445 to determine if a remote computer is online.

9) If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.

10) Uses the shell on the remote computer to connect back to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.

11) The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in 1 minute.

12) Creates a file at C:\win.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.

How Can I Remove the Sasser worm?

Follow these steps in removing the Sasser worm.

1) Disconnect your computer from the local area network or Internet

2) Terminate the running program

  • Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
  • Locate one of the following programs (depending on variation), click on it and End Task or End Process

avserve.exe
avserve2.exe
skynetave.exe
any process running with the "_up.exe" suffix

  • Close Task Manager

3) Activate the Windows XP Firewall (if running Windows XP) or another firewall to prevent the worm from shutting your system down while downloading the patches. To activate the Windows XP firewall, follow these steps.

  • Click on Start, Control Panel
  • Double-click on Networking and Internet Connections, then click on Network Connnections
  • Right-click on the connection you use to access the Internet and choose Properties
  • Click on the Advanced Tab and check the box
    "Protect my computer and network by limiting or preventing access to this computer from the Internet"
  • Click OK and close out of the Network and Control Panel

3) Download and Install the patches for the LSASS Vulnerability and others

5) Remove the Registry entries

  • Click on Start, Run, Regedit
  • In the left panel go to

HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run

  • In the right panel, right-click and delete the following entry

"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"

  • Close the Registry Editor

6) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)

  • Click Start, point to Find or Search, and then click Files or Folders.
  • Make sure that "Look in" is set to (C:\WINDOWS).
  • In the "Named" or "Search for..." box, type, or copy and paste, the file names:

    avserve.exe
    avserve2.exe
    skynetave.exe
    C:\win2.log
  • Click Find Now or Search Now.
  • Delete the displayed files.
  • Empty the Recycle bin

7) Reboot the computer and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.

For Automatic Removal of Sasser, download the Symantec removal tool, you'll still need to download the patches above and install them, however this removal tool will stop the Sasser worm from running, remove the items in the registry, and delete the infected files.

 

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google