What to do if your computer has been infected by Sasser
Thread poster: LJC (X)
LJC (X)
LJC (X)
France
Local time: 19:56
French to English
+ ...
May 9, 2004

For those who think they've got the Sasser virus, follow Microsoft's instructions at http://www.microsoft.com/security/incident/sasser.asp

From this page, you can scan your computer for the virus to see if you've got it, and also check your firewall and security update status (which are automatically adjusted if necessary).


 
Kim Metzger
Kim Metzger  Identity Verified
Mexico
Local time: 12:56
German to English
What to do if your computer has been infected by Sasser May 9, 2004

Hi Lesley,
What are the symptoms?

Kim


 
LJC (X)
LJC (X)
France
Local time: 19:56
French to English
+ ...
TOPIC STARTER
Symptoms May 9, 2004

Apparently, Sasser only infects Win 2000 and XP. According to Microsoft, one of the symptoms is that the operating system keeps shutting down, but the computer I am trying to sort out doesn't have that problem.

This computer is at my local 'mairie' and is open to the public for Internet access, although not many people use it. It is less than a month old and was working normally about a week ago.

The computer is working painfully slowly, no Internet sites can be access
... See more
Apparently, Sasser only infects Win 2000 and XP. According to Microsoft, one of the symptoms is that the operating system keeps shutting down, but the computer I am trying to sort out doesn't have that problem.

This computer is at my local 'mairie' and is open to the public for Internet access, although not many people use it. It is less than a month old and was working normally about a week ago.

The computer is working painfully slowly, no Internet sites can be accessed, but sending and receiving e-mails is possible. Word opens but doesn't work as it should (I didn't try any other programs).

Now I'm a bit prehistoric when it comes to computer problems but there's no-one else to sort this out quickly so I'm trying to do what I can to help.

I ran the antivirus first and it found the Welchia E worm, which I quarantined. I then tried to update the antivirus but the files wouldn't all download. As I still couldn't access any site to do an online virus scan or repair, I searched the Net from my computer at home.

I found a virus removal program called called Stinger (made by McAfee) at http://vil.nai.com/vil/stinger/ which I downloaded and then burned onto a CD. I ran this on the computer at the 'mairie' and it found 29 files infected with the Sasser worm, which I deleted. After that,I did manage to access a couple of sites, but it was extremely slow and didn't last long before I couldn't access any sites again.

I went back home to do some more research on this Sasser thing that I'd never heard of, only to find that half the world seems to be infected!

I've printed out the instructions on the Microsoft site and will try them out on Monday. I will then check the firewall and update the antivirus.

My own computer (XP) hasn't been infected and I think it may be because my firewall is activated.

If anyone else has anything useful to add I would be very interested, as this is the first virus-infected computer I've ever had to deal with.
Collapse


 
Natalie
Natalie  Identity Verified
Poland
Local time: 19:56
Member (2002)
English to Russian
+ ...

MODERATOR
SITE LOCALIZER
Hi Lesley, maybe this information could help: May 9, 2004

SOPHOS ISSUES FREE REMOVAL TOOL FOR SASSER WORM

Sophos has released a free removal tool which
disinfects computers infected by the fast-spreading
Sasser internet worm (W32/Sasser-A and W32/Sasser-B).

The Sasser worm does not spread via email, but exploits
a critical security vulnerability in versions of Microsoft
Windows.


If you are infected by the Sasser worm and wish to download
the free removal tool, or want more info
... See more
SOPHOS ISSUES FREE REMOVAL TOOL FOR SASSER WORM

Sophos has released a free removal tool which
disinfects computers infected by the fast-spreading
Sasser internet worm (W32/Sasser-A and W32/Sasser-B).

The Sasser worm does not spread via email, but exploits
a critical security vulnerability in versions of Microsoft
Windows.


If you are infected by the Sasser worm and wish to download
the free removal tool, or want more information about the
Microsoft security vulnerability it exploits, visit:

http://www.sophos.com/virusinfo/articles/sasser.html


Further information from Microsoft about the Sasser worm
and the security vulnerability can be found at:

http://www.microsoft.com/security/incident/sasser.asp
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx


Home users who do not know if their computers are running
the latest Microsoft security patches should visit the
Microsoft WindowsUpdate website:

http://www.windowsupdate.microsoft.com


PCs which are secured behind properly configured firewalls should not be affected by the Sasser worm.

More info can be found at http://www.sophos.com/

[Edited at 2004-05-09 22:03]
Collapse


 
Ralf Lemster
Ralf Lemster  Identity Verified
Germany
Local time: 19:56
English to German
+ ...
Win9x systems can be infected, too... May 9, 2004

...as you found out on the system you're analysing.

Apparently, Sasser only infects Win 2000 and XP. According to Microsoft, one of the symptoms is that the operating system keeps shutting down, but the computer I am trying to sort out doesn't have that problem.

Close, but not quite correct: the various variants of the Sasser worm can infect Win9x/WinME systems, and can spread from there, but its payload won't be effective on these machines: the shutdown behaviour will only occur under Win2k/XP.

This computer is at my local 'mairie' and is open to the public for Internet access, although not many people use it. It is less than a month old and was working normally about a week ago.

The timing is suspicious, as Sasser was starting to spread last weekend.

I ran this on the computer at the 'mairie' and it found 29 files infected with the Sasser worm, which I deleted.

Did that program also remove the worm?

After that,I did manage to access a couple of sites, but it was extremely slow and didn't last long before I couldn't access any sites again.

The worm might well still be active, trying to spread by scanning other machines on the web.

My own computer (XP) hasn't been infected and I think it may be because my firewall is activated.

Spot on.

More info, including a removal tool, is available from Symantec.

Small consolation: the author of "Sasser" - an 18-year old college student from northern Germany - was arrested yesterday, and has admitted that he developed and spread the worm...

HTH, Ralf


 
LJC (X)
LJC (X)
France
Local time: 19:56
French to English
+ ...
TOPIC STARTER
Thank you Natalie and Ralph May 9, 2004

Thanks for those very useful links Natalie,
particularly the Sophos one with the removal tool.


Hi Ralph,

Thank you too.

Ralf Lemster wrote:

The timing is suspicious, as Sasser was starting to spread last weekend.


I'm not sure about the exact timing.

Did that program also remove the worm?


I think so, Stinger says it is a virus/worm remover, not just a detector.

The worm might well still be active, trying to spread by scanning other machines on the web.


If the worm was removed, I suppose it's possible that the computer got re-infected almost immediately before I could download the patch from Microsoft. I didn't think to run the program again.

Small consolation: the author of "Sasser" - an 18-year old college student from northern Germany - was arrested yesterday, and has admitted that he developed and spread the worm...


I think his punishment should be to explain himself to every single person individually who has physically suffered through delays in medical treatment caused by his actions, and fully reimburse everyone who has suffered financial loss. Then the men in white coats can have him!

Thanks again to you both,
Lesley


 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

What to do if your computer has been infected by Sasser






Protemos translation business management system
Create your account in minutes, and start working! 3-month trial for agencies, and free for freelancers!

The system lets you keep client/vendor database, with contacts and rates, manage projects and assign jobs to vendors, issue invoices, track payments, store and manage project files, generate business reports on turnover profit per client/manager etc.

More info »
Anycount & Translation Office 3000
Translation Office 3000

Translation Office 3000 is an advanced accounting tool for freelance translators and small agencies. TO3000 easily and seamlessly integrates with the business life of professional freelance translators.

More info »