What steps to prevent Sasser infection while downloading the fix?

[Piotr Makley]

If someone has not patched their PC with Microsoft's fix then maybe
they will get infected with Sasser when they connect to the Net to
actually download the fix for Sasser!

Are there any steps that can be taken to allow the Sasser fix to be
downloaded but which will prevent Sasser from infecting the
machine?

Maybe switch off some of the Component Services?
Maybe enable your firewall to a "high" level of security?
Maybe rename some EXE or DLL file until the fix is installed?
etc

 

[Herbert Nagler]

If someone has not patched their PC with Microsoft's fix then maybe
they will get infected with Sasser when they connect to the Net to
actually download the fix for Sasser!

Are there any steps that can be taken to allow the Sasser fix to be
downloaded but which will prevent Sasser from infecting the
machine?

Maybe switch off some of the Component Services?
Maybe enable your firewall to a "high" level of security?
Maybe rename some EXE or DLL file until the fix is installed?
etc

 

[Crusty \(-: Old B@stard :-\)]

Firewall your system. Then download the patch.

--
Regards:

Richard Urban

aka Crusty (-: Old B@stard

 

[Marc Liron MVP]

Also be aware that there is a new Netsky worm variant
(Netsky-AC) just out that claims to be able ti "fix" the
sasser worm vulnerability!

Of course it comes with an attachment that once clicked
deploys its own payload to cause yet more problems...

http://www.sasser-worm.com

Marc Liron
Microsoft MVP
http://www.updatexp.com

 

[David H. Lipman]

If they are connected to broadband such as DSL or cable, get a Cable/DSL Router such as the
Linksys BEFSR41. On the Router block TCP/UDP Ports 135~139 and 445

Dave



| If someone has not patched their PC with Microsoft's fix then maybe
| they will get infected with Sasser when they connect to the Net to
| actually download the fix for Sasser!
|
| Are there any steps that can be taken to allow the Sasser fix to be
| downloaded but which will prevent Sasser from infecting the
| machine?
|
| Maybe switch off some of the Component Services?
| Maybe enable your firewall to a "high" level of security?
| Maybe rename some EXE or DLL file until the fix is installed?
| etc

 

[Torgeir Bakken \(MVP\)]

If someone has not patched their PC with Microsoft's fix then maybe
they will get infected with Sasser when they connect to the Net to
actually download the fix for Sasser!

Are there any steps that can be taken to allow the Sasser fix to be
downloaded but which will prevent Sasser from infecting the
machine?

Maybe switch off some of the Component Services?
Maybe enable your firewall to a "high" level of security?
Maybe rename some EXE or DLL file until the fix is installed?
etc

Hi

Take a look at this article:

http://www.microsoft.com/technet/Security/alerts/sasser.mspx

 

[Spacen Jasset]

Block all incomming ports while you download the patch.

Also if you PC keeps rebooting while you download then you could try this
batch file

ns.bat

:loop
shutdown -a
goto loop

 

[Bill Sanderson]

Blocking all ports with a firewall is good advice.

The batch file you suggest will not stop the reboot if it comes from Sasser.

Unplugging the network connection, starting in safe mode, and getting a
firewall up should work, but there are detailed instructions for Windows
2000 in my message subject header:

"Instructions for patching and removing the Sasser worm...." posted earlier
today.

 

[Ian Kenefick]

Hello,

Blocking all ports with a firewall is good advice.

The batch file you suggest will not stop the reboot if it comes from Sasser.

The F-Secure tool which was published today to detect and remove sasser
a > d also prevents the system from rebooting by creating

%SystemRoot%\Debug\dcpromo.log

with -r attributes.

Ian.

 

[Ian Kenefick]

Hello,

Blocking all ports with a firewall is good advice.

The batch file you suggest will not stop the reboot if it comes from Sasser.

The F-Secure tool which was published today to detect and remove sasser
a > d also prevents the system from rebooting by creating

%SystemRoot%\Debug\dcpromo.log

with -r attributes.

this is available from ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe

Ian.

 

[Torgeir Bakken \(MVP\)]

The batch file you suggest will not stop the reboot
if it comes from Sasser.

Hi

Microsoft states that “shutdown.exe -a” can be used on WinXP
for the reboot caused by the LSASS.EXE crash, from
http://www.microsoft.com/technet/Security/alerts/sasser.mspx

<quote>
If your computer is vulnerable to the worm, the worm may cause
LSASS.EXE to crash which will force the operating system to
shutdown after 60 seconds. This shutdown can be aborted on
Windows XP systems by using the built-in “shutdown.exe -a” command.
</quote>

 

[Bill Sanderson]

Apologies, Spacen--Torgeir is correct, and I'm mistaken--on XP, shutdown -a
should halt the Sasser shutdown, according to Microsoft's documentation.

 

[Lil' Dave]

While all the advice for a firewall is fine and a genuine solution, it
leaves me puzzled.
I always check the connectivity to the internet first, then install the
firewall. Am I missing something?

 

[Thor Kottelin]

While all the advice for a firewall is fine and a genuine solution, it
leaves me puzzled.
I always check the connectivity to the internet first, then install the
firewall. Am I missing something?

You can check the connectivity using something non-vulnerable, such as a
router. However, if you plug a vulnerable Windows box into the hostile
Internet, even just for a few seconds of testing, you run a high risk of
having it cracked.

Follow-ups set.

Thor

 

[Tech Zero]

The voice of "Piotr Makley" drifted in on the cyber-winds,
from the sea of virtual chaos...

Are there any steps that can be taken to allow the Sasser fix to be
downloaded but which will prevent Sasser from infecting the
machine?

Turn on XP's built in firewall...

Or if you have an available Linksys; block ports "135-139", "445", &
"1025" using the filters page from a Win98 or patched XP PC:

http://www.dragonfur.ca/nowhere/LSfilter.png