Gaobot Worm and LSASS

[Johnny_1]

From Symantec Security Response:
http://securityresponse.symantec.com/

Gaobot variants exploit Microsoft Windows LSASS Buffer
Overrun Vulnerability

Three recent variants of the Gaobot family of worms,
specifically, W32.Gaobot.AFC, W32.Gaobot.AFJ and
W32.Gaobot.AFW, have been discovered to exploit the
Microsoft Windows LSASS Buffer Overrun Vulnerability.

Just some info, I've seen alot of posts on this,
John

 

[Guest]

I think I have one of the Gaobot worms. Have been getting NT Authority shutdowns, with Windows32/lsass.exc. Now I was on the internet and Norton notified me they deleted the SSworm . I have been getting updates all week and had a full scan with no infections. If I go to Microsoft and download a patch for this buffer vulnerability and have they worm what will happen? How do I get rid of this? How do I found out if I am infected?

 

[roger]

Hi,

I think I have one of the Gaobot worms. Have been getting NT Authority shutdowns, with Windows32/lsass.exc. Now I was on the internet and Norton notified me they deleted the SSworm . I have been getting updates all week and had a full scan with no infections. If I go to Microsoft and download a patch for this buffer vulnerability and have they worm what will happen? How do I get rid of this? How do I found out if I am infected?

How to Tell If Your Computer Is Infected
If your computer is infected with W32.Sasser.worm, you may see a
dialog box with text that refers to LSASS.exe. Some customers whose
computers have been infected may not notice the presence of the
worm at all, while others who are not infected may experience
problems because the worm is attempting to attack their computer.
Typical symptoms may include systems rebooting every few minutes
without user input.


Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm,
please do the following:

Enable the Windows XP Internet Connection Firewall or a
third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting,
reboot in safe mode.
Press CTRL+ALT+DEL.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click
C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Start.
Click Search and then search for and delete the following
files:
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\*_up.exe
Click Start again, click Run, and then type: regedit32
Click OK.
In Registry Editor, locate and delete the following
registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Go to the Windows Update site, and click the Scan for
Updates button.
Download and install the critical updates recommended
after the scan.

More info
http://www.microsoft.com/security/incident/sasser.asp

The stinger tool may also be helpful in detecting and
cleaning the Sasser worm.
http://vil.nai.com/vil/stinger/

Download this update
Microsoft Security Bulletin MS04-011
Security Update for Microsoft Windows (835732)
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Good luck