Sasser worm

[Kevin]

We have some machines in our environment that seem to
have been hit by Sasser this afternoon.

The problem is that I can not find any of the sasser
components present in the systems? Many of the machines
scan clear with McAfee Enterprise 7.1.0 and the latest
Stinger but still get a 60 sec countdown? The countdown
seems to be resolved by re-installing the 011 patch but I
am wondering why I cant find any indication of the
infection? All Viruscan logs are clear?

When I look up the sasser characteristics, I notice that
the error is slightly different than posted on Mcafee's
website? We dont get the LSA Shell error and the System
shutdown error has a status code of 128 instead of
1073741819? Any ideas? The slight veriation in behavior
concerns me?

 

[Sartan Dragonbane]

Kevin, I have rarely seen Mcaffe Enterprise correctly detect anything in the
first place.
I wouldn't count on an antivirus solution to repair your network anyway.
A suggestion: Try a trial version of Norton Antivirus on one of your
desktops and see if it detects it...

As soon as you log in, go to start, run, shutdown -a to give you a little
bit to do some work on an infected PC.

Log on to your computer, and go to Administrative Tools, Services,
Remote Procedure Call (RPC).
Go to the recovery tab, and change all three failures to "Take No Action" so
your computer doesn't reboot while you work on removing whatever virus you
might have.

The bleepin sasser worm is an evil polymorphic virus, i'm still trying to
think up a way to surefire remove it automagically.

Good luck, Kevin.
Consider using the XP Firewall on your desktop computers as well, and
investing in a decent firewall for your servers.

 

[Vivek Ahuja]

Hi,

Well to check if your system is infected, a tool on the microsoft.com site
does the job...

as for symptons from various antivirus vendors are diffent for
all...actually its about 5-7 different variants...so dont go by the
definition of just one antivirus ...

my experience is that CA etrust is much better becuase of a simple fact,
they have 2 engines, use one in online mode and the other on offline /
scheduled scans...

both have independent devlpmnt teams so definitions are also differnt and
more chances of catching worms etc..

but apart from all that..if you have patched your systems on time no
worries...

right?

best option is SUS which can work in a non domain environment and no
licneses required with this i have about 40,000 pc's protected so i am not
worried with sasser...

 

[Keith W. McCammon]

See this, which links to a checker, the patch, and the cleaning tool...

http://www.microsoft.com/security/incident/sasser.asp

 

[Viper3256]

We have some machines in our environment that seem to
have been hit by Sasser this afternoon.

The problem is that I can not find any of the sasser
components present in the systems? Many of the machines
scan clear with McAfee Enterprise 7.1.0 and the latest
Stinger but still get a 60 sec countdown? The countdown
seems to be resolved by re-installing the 011 patch but I
am wondering why I cant find any indication of the
infection? All Viruscan logs are clear?

When I look up the sasser characteristics, I notice that
the error is slightly different than posted on Mcafee's
website? We dont get the LSA Shell error and the System
shutdown error has a status code of 128 instead of
1073741819? Any ideas? The slight veriation in behavior
concerns me?

I work at a helpdesk and am having the exact same problem. The Status
code is 128 and Norton or the microsoft removal tool cannot find the
virus. The registery HKLM-Software/microsoft/windows/current/run
looks clean I cannot find any sign off the virus exepct for the shut
down message. The Microsoft patch fixes this issue but I want to know
what the virus is. I have 2 users that are remote and cannot get the
7meg patch due to the shutdowns. They have most update defs but virus
scan cannot find anything. Isn't dat Veerd!!!!!