Warp2Search - Your Daily Tech News Service / Hardware & Software / Windows 9x/Me/2K/XP/Vista / Sasser.A/B/C/D/E/F Worm Removal Tool

Post Reply  Post Thread 
Sasser.A/B/C/D/E/F Worm Removal Tool
Author Message
Dark Biene
Super Moderator
******


Posts: 1,649
Group: Super Moderators
Joined: Feb 2004
Status: Offline
Reputation: 0
Post: #1
Sasser.A/B/C/D/E/F Worm Removal Tool

Quote:
A situation has been identified where the Sasser.A or Sasser.B worms could have infected some systems before the application of MS04-011 [KB835732]. This tool will help remove the Sasser.A and Sasser.B worms from these systems. For systems with MS04-011 [KB835732], no further action is needed once this tool is installed. Install this tool to help remove this worm from your PC


DirectDownload via Microsoft: Link
for latest release

update:
Version 3.0 - Released 5/9/04. Added detection/removal for Sasser.E.
Version 4.0 - Released 5/11/04. Added detection/removal for Sasser.F.

Intel Q6600 @3,6Ghz@FSB400 - Watercooled
8800GTX - Watercooled
Gigabyte X38 DQ6 - Watercooled
2x2GB OCZ Platinum 800 @1066Mhz@5-5-5-15
2x320GB Seagate RAID0 @ TX2300 - Watercooled
Audigy 2 ZS @ Creative 5400 5.1

This post was last modified: 05-12-2004 12:04 PM by Dark Biene.
05-03-2004 11:29 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Dark Biene
Super Moderator
******


Posts: 1,649
Group: Super Moderators
Joined: Feb 2004
Status: Offline
Reputation: 0
Post: #2
 

btw:
for all ppl that are interested :

Quote:
Indications of Infection

The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe

As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win.log is created on the root of the C: drive. This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as mybb_up.exe.

Examples

* c:\WINDOWS\system32\11583_up.exe
* c:\WINDOWS\system32\16913_up.exe
* c:\WINDOWS\system32\29739_up.exe

Method of Infection

This worm spreads by exploiting a recent Microsoft vulnerability, spreading from machine to machine with no user intervention required.

This worm scans random IP addresses for exploitable systems. When one is found, the worm exploits the vulnerable system, by overflowing a buffer in LSASS.EXE. It creates a remote shell on TCP port 9996. Next it creates an FTP script named cmd.ftp on the remote host and executes it. This FTP script instructs the target victim to download and execute the worm (with the filename mybb_up.exe as aforementioned) from the infected host. The infected host accepts this FTP traffic on TCP port 5554.

The worm spawns multiple threads, some of which scan the local class A subnet, others the class B subnet, and others completely random subnets. The destination port is TCP 445

Intel Q6600 @3,6Ghz@FSB400 - Watercooled
8800GTX - Watercooled
Gigabyte X38 DQ6 - Watercooled
2x2GB OCZ Platinum 800 @1066Mhz@5-5-5-15
2x320GB Seagate RAID0 @ TX2300 - Watercooled
Audigy 2 ZS @ Creative 5400 5.1
05-04-2004 05:49 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Mertsch
Super Moderator
******


Posts: 3,002
Group: Super Moderators
Joined: Aug 2002
Status: Online
Reputation: 1
Post: #3
 

The tool got updated supporting all 4 versions

Quote:
Release History:

* Version 1.0 - Released 5/2/04. Detected and removed Sasser.A and Sasser.B.

* Version 2.0 - Released 5/4/04. Added detection/removal for Sasser.C and Sasser.D.


http://www.microsoft.com/downloads/detai...laylang=en


Avatar and signature by Eckpert @ Kackebeus.de
05-05-2004 07:19 AM
Find all posts by this user Quote this message in a reply
Dark Biene
Super Moderator
******


Posts: 1,649
Group: Super Moderators
Joined: Feb 2004
Status: Offline
Reputation: 0
Post: #4
 

thanx for updating !

Intel Q6600 @3,6Ghz@FSB400 - Watercooled
8800GTX - Watercooled
Gigabyte X38 DQ6 - Watercooled
2x2GB OCZ Platinum 800 @1066Mhz@5-5-5-15
2x320GB Seagate RAID0 @ TX2300 - Watercooled
Audigy 2 ZS @ Creative 5400 5.1
05-05-2004 11:14 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Mertsch
Super Moderator
******


Posts: 3,002
Group: Super Moderators
Joined: Aug 2002
Status: Online
Reputation: 1
Post: #5
 

huh ? updating ... what updateing ? ..
it wasn't me ...
must be the W2S geek hacked into my account ...
LMAO


Avatar and signature by Eckpert @ Kackebeus.de
05-05-2004 05:21 PM
Find all posts by this user Quote this message in a reply
Dark Biene
Super Moderator
******


Posts: 1,649
Group: Super Moderators
Joined: Feb 2004
Status: Offline
Reputation: 0
Post: #6
 

another update:
Sasser (A-F) Worm Removal Tool (KB841720)

Version 4.0 - Released 5/11/04. Added detection/removal for Sasser.F.

Link to Microsoft

Intel Q6600 @3,6Ghz@FSB400 - Watercooled
8800GTX - Watercooled
Gigabyte X38 DQ6 - Watercooled
2x2GB OCZ Platinum 800 @1066Mhz@5-5-5-15
2x320GB Seagate RAID0 @ TX2300 - Watercooled
Audigy 2 ZS @ Creative 5400 5.1
05-12-2004 12:00 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply  Post Thread 

View a Printable Version
Send this Thread to a Friend
Subscribe to this Thread | Add Thread to Favorites
Forum Jump:

Contact Us | Warp2Search.Net | Return to Top | Return to Content | RSS Syndication