Also found this from M$...
http://www.microsoft.com/security/incident/sasser.mspx
==========================
Hi John,
First do this.
Go hear and run this online virus scan by Symantec.(I'm not a huge fan of
Symantec/Norton, but they dot all the "T's"and cross their "Eyes's"
http://securityresponse.symantec.com/ (look under virus definitions)(it
takes about 15 minutes)
If you have any results greater than ZERO, print it and start on it one at a
time with Google searches (there are a multiplicity of infections known as
Sasser)
If you do have it right Lasser versus Sasser, just do a Google search with
the real name of the infection, and find the Symantec fix sheet(s).
To do a search... for the Sasser Worm
http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=Sasser+Virus&btnG=Search
(hint choose the Symantec fix sheet)(Print it)(Do everything it says in that
order, or you will be in deep "caca" again)
Probably would be good to do an Inplace Upgrade. Here are links I have.
(Repair Install)
How to Perform an Inplace Upgrade:
http://support.microsoft.com/default.aspx?kbid=292175
What this does and does not effect:
http://support.microsoft.com/default.aspx?kbid=306952
How to expand the Boot Partition while performing and Inplace Upgrade:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q289876
Must have Administrator Privileges
Good Computing,
don
Before doing this you can try a couple of Commandline Commands:
Start
Run...
"type" SFC /SCANNOW<enter>
afterward
Start
Run...
"type" CHKDSK /R
I'm sure you already knew all of this, but by the remote instance that it
helps...
don
)
=========================
I guess I had better get this all right...
Go to
www.spychecker.com d/l an AVP (antivirus program) (one-AVG by Grisoft
is really good and not complicated or invasive), a software firewall like
Zone Alarm works (I'd get "Pro" to make it have all the bells and whistles),
Adaware (for spyware), SpyBot S&D (for malware), HijackThis (for quit a bit
of junk)
=========================
I'm sure you already know most of this but just in case:
If you have been hacking, don't think about an Inplace Upgrade; start
thinking of starting from scratch. I am going to post along with this right
under this a recent article that I read, and it made me even drive slower.
hehe (but not for long)
Here goes: (Yes the little cute table is mine)(but the information is not by
me)
Cleaning a Compromised System
So, you didn’t patch the system and it got hacked. What to do? Well,
let’s see:
• You can’t clean a compromised system by patching it. Patching
only removes the vulnerability. Upon getting into your system, the attacker
probably ensured that there were several other ways to get back in.
• You can’t clean a compromised system by removing the back
doors. You can never guarantee that you found all the back doors the
attacker put in. The fact that you can’t find any more may only mean you don
’t know where to look, or that the system is so compromised that what you
are seeing is not actually what is there.
• You can’t clean a compromised system by using some
“vulnerability remover.” Let’s say you had a system hit by Blaster. A number
of vendors (including Microsoft) published vulnerability removers for
Blaster. Can you trust a system that had Blaster after the tool is run? I
wouldn’t. If the system was vulnerable to Blaster, it was also vulnerable to
a number of other attacks. Can you guarantee that none of those have been
run against it? I didn’t think so.
• You can’t clean a compromised system by using a virus scanner.
To tell you the truth, a fully compromised system can’t be trusted. Even
virus scanners must at some level rely on the system to not lie to them. If
they ask whether a particular file is present, the attacker may simply have
a tool in place that lies about it. Note that if you can guarantee that the
only thing that compromised the system was a particular virus or worm and
you know that this virus has no back doors associated with it, and the
vulnerability used by the virus was not available remotely, then a virus
scanner can be used to clean the system. For example, the vast majority of
e-mail worms rely on a user opening an attachment. In this particular case,
it is possible that the only infection on the system is the one that came
from the attachment containing the worm. However, if the vulnerability used
by the worm was available remotely without user action, then you can’t
guarantee that the worm was the only thing that used that vulnerability. It
is entirely possible that something else used the same vulnerability. In
this case, you can’t just patch the system.
• You can’t clean a compromised system by reinstalling the
operating system over the existing installation. Again, the attacker may
very well have tools in place that tell the installer lies. If that happens,
the installer may not actually remove the compromised files. In addition,
the attacker may also have put back doors in non-operating system
components.
• You can’t trust any data copied from a compromised system.
Once an attacker gets into a system, all the data on it may be modified. In
the best-case scenario, copying data off a compromised system and putting it
on a clean system will give you potentially untrustworthy data. In the
worst-case scenario, you may actually have copied a back door hidden in the
data.
• You can’t trust the event logs on a compromised system. Upon
gaining full access to a system, it is simple for an attacker to modify the
event logs on that system to cover any tracks. If you rely on the event logs
to tell you what has been done to your system, you may just be reading what
the attacker wants you to read.
• You may not be able to trust your latest backup. How can you
tell when the original attack took place? The event logs cannot be trusted
to tell you. Without that knowledge, your latest backup is useless. It may
be a backup that includes all the back doors currently on the system.
• The only way to clean a compromised system is to flatten and
rebuild. That’s right. If you have a system that has been completely
compromised, the only thing you can do is to flatten the system (reformat
the system disk) and rebuild it from scratch (reinstall Windows and your
applications). Alternatively, you could of course work on your resume
instead, but I don’t want to see you doing that.
The guy is dead serious about your data and files implanted with another
entrance after you spend a whole weekend, if you have all the stuff you
need.
===============================
My Win2000 server displays no desktop, taskbar or start button after logging
in as administrator. All I get is the default light blue wallpaper.
This seems to have happened after being struck by the lasser virus.
Ctrl - alt - del or the right click does not work. Sfae mode gives me a
desktop, so I have access to the registry etc.
The machine works as it should (email server for 50+ domains), FTP access
works etc.
I have already tried suggestion from MS in KB836417, 256194 and 162031
Any help would be appreciated.
John Gauthier
