Sasser Reinfection

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Has anyone found that sasser returns after being removed completly and patching the system with the update
Is the update not working correctly

Kevin Carte
 
Hi Kevin

Your system shouldn't be re-infected if you have secured it:

"What You Should Know About the Sasser Worm and Its Variants"
http://www.microsoft.com/security/incident/sasser.asp

"How to protect your PC"
http://www.microsoft.com/security/protect/

Which Firewall are you using?

--

Will Denny
MS-MVP Windows - Shell/User


| Has anyone found that sasser returns after being removed completly and
patching the system with the update?
| Is the update not working correctly?
|
| Kevin Carter
|
 
Hi

I don't know how your system has become re-infected. Assuming you have the
files to clear Sasser - disconnect your modem, reboot and then clean your
system. Reboot and then check that your system is clean. Re-connect your
modem, reboot - is your system then re-infected?

--

Will Denny
MS-MVP Windows - Shell/User


| Same here -- cleared it up with NAV update, full scan and MS patches.
| All clean yesterday -- today it's back.
| Use only firewall built into XP and NAV.
| What am I doing wrong?
 
Kevin;
Are you thoroughly getting rid of Sasser?
Are you eliminating ALL System Restore points by disabling System
Restore?
Check the configuration of your firewall.
Manually download and install the patch again.
Follow this to be sure:
http://www3.telus.net/dandemar/sasser.htm

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar/


Kevin said:
Has anyone found that sasser returns after being removed completly
Click to expand...
and patching the system with the update?
 
The computers are not at my house. Everything I run is securly behind a firewall
The computers people are bringing in are infected
We remove the worm with the symantec tool. Patch the system. Remove all restore files. Scan for additional virii
Then the computer is restarted. We then do a complete scan with norton and it comes up clean
The customer takes there computer home and a day or two later they come back in and in the norton history it shows Sasser. Usually the second time it is uaually in the *_up.exe file

While I agree a firewall is best, shouldn't these people be protected from being reinfected by Sasser after being patched

Kevin
 
http://www.microsoft.com/technet/Security/alerts/sasser.msp

----- Kevin Carter wrote: ----

The computers are not at my house. Everything I run is securly behind a firewall
The computers people are bringing in are infected
We remove the worm with the symantec tool. Patch the system. Remove all restore files. Scan for additional virii
Then the computer is restarted. We then do a complete scan with norton and it comes up clean
The customer takes there computer home and a day or two later they come back in and in the norton history it shows Sasser. Usually the second time it is uaually in the *_up.exe file

While I agree a firewall is best, shouldn't these people be protected from being reinfected by Sasser after being patched

Kevin
 
It is not so much the firewall is best, Firewall and patches as well
as antivirus are all necessary for the layered protection.
If Sasser is getting back on, there is no effective firewall AND the
patch is improperly installed and/or damaged.

Look here:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Under "Security Update Information" and verify the files are the
correct versions.

--
Jupiter Jones [MVP]
http://www3.telus.net/dandemar/


Kevin Carter said:
The computers are not at my house. Everything I run is securly behind a firewall.
The computers people are bringing in are infected.
We remove the worm with the symantec tool. Patch the system.
Click to expand...
Remove all restore files. Scan for additional virii.
Then the computer is restarted. We then do a complete scan with norton and it comes up clean.
The customer takes there computer home and a day or two later they
Click to expand...
come back in and in the norton history it shows Sasser. Usually the
second time it is uaually in the *_up.exe file.
While I agree a firewall is best, shouldn't these people be
Click to expand...
protected from being reinfected by Sasser after being patched?
 
On Fri said:
The computers are not at my house. Everything I run is securly behind a firewall.
The computers people are bringing in are infected.
We remove the worm with the symantec tool. Patch the system. Remove all restore files. Scan for additional virii.
Then the computer is restarted. We then do a complete scan with norton and it comes up clean.
The customer takes there computer home and a day or two later they come back in and in the norton history it shows Sasser. Usually the second time it is uaually in the *_up.exe file.

While I agree a firewall is best, shouldn't these people be protected from being reinfected by Sasser after being patched?
Click to expand...

Are they doing an SR roll-back (you did say you cleared SR) or "repair
install" (losing patches) when they get back? If you are setting the
firewall on and this tangled thier LAN, they may be flailing around to
fix that and undoing the patches as a side-effect.

The only other thing I can think of is some sort of pushed policy or
reaming profiles that is undoing your protection, tho AFAIK patches
are system-level and should be safe (dunno about firewall status).

Not true - I can think of something else; a variant of Sasser that
spreads via some alternate method (thinking the Sasser-generation
equivalent of an SDBot.RPC.A here).


---------- ----- ---- --- -- - - - -
Click to expand...
Certainty may be your biggest weakness
 
Back
Top