What is connected to which?

I posted yesterday but so far no answers. Maybe my post is too confusing.
Will try to clarify:

I am trying to find answers to a problem and to find whether the problem is
connected to downloading Service Pack 2 or if it connected to something else.

It began when I went to a site I visit daily and have no problems accessing
normally. However this time got a message that I was unable to connect to
server. It said that it is possible that I might 1) not be connected to the
internet - which I was, 2) not signed in - which I was and 3) had stale file
in my cache. This last I did not know what it meant so I came over to the
microsoft site to look up what that meant. Several files or articles talked
about updating service packs and since I had not done that yet with this new
XP I d/l service pack 2. It auto installed.

At some point during the night though I cannot recall if it was before or
after this d/l, I got a request from my firewall for LSA shell (export
version) to access the internet. Since I had never encountered this before
and did not know what LSA shell was, I denied access.

I put LSA shell into the microsoft search engine and came up with articles
telling me that it was a worm. I immediately updated my virus definitions and
did a scan of the system. It came back that there was no infection. A search
of my computer does show lsass.exe application in c:\windows\system32 as well
as the doc and settings folder (temp internet folder) sasser, sasser1,
sasser2 and another file with the same 'address' 199.239.233.2 calling itself
'virus removal utilities by
online...' I also went to my virus scan site to find out what the sasser
worm does and there was no information on it at the site.

I do not know why the anti virus program did not find these, nor do I know
if they are connected to the Service Pack d/l or to something else and if the
stale file in cache is connected in some way to all of this. Can any one help
me?

dazed and confused here.

There's lots of varients.


W32.Sasser.Worm
Discovered on: April 30, 2004
Last Updated on: July 27, 2004 11:20:39 AM







W32.Sasser.Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning the randomly selected IP addresses for vulnerable systems.



--------------------------------------------------
Notes:
a.. Rapid Release virus definitions, version 30/04/04 rev 70 (20040430.070) and greater, detect this threat.
b.. This worm has an MD5 hash value of 0xA73C16CCD0B9C4F20BC7842EDD90FC20.

--------------------------------------------------

W32.Sasser.Worm can run on (but not infect) Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect the vulnerable systems to which they are able to connect. In this case, the worm will waste a lot of resources so that programs cannot properly run, including our removal tool. (On Windows 95/98/Me computers, run the tool in Safe mode.)

Security Response has provided some information to aid network administrators in ongoing efforts to track down W32.Sasser.Worm infected machines on their respective network. Please see the document, "Detecting traffic due to LSASS worms" for additional information.


Also Known As: W32/Sasser.worm.a [McAfee], WORM_SASSER.A [Trend], Worm.Win32.Sasser.a [Kaspersky], W32/Sasser-A [Sophos], Win32.Sasser.A [Computer Associates], Sasser [F-Secure], W32/Sasser.A.worm [Panda]

Type: Worm
Infection Length: 15,872 bytes



Systems Affected: Windows 2000, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 3.x, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003
CVE References: CAN-2003-0533







Wild

a.. Number of infections: 50 - 999
b.. Number of sites: More than 10
c.. Geographical distribution: High
d.. Threat containment: Easy
e.. Removal: Moderate


Damage

a.. Payload Trigger: n/a
b.. Payload: n/a
a.. Large scale e-mailing: n/a
b.. Deletes files: n/a
c.. Modifies files: n/a
d.. Degrades performance: Causes significant performance degradation.
e.. Causes system instability: n/a
f.. Releases confidential info: n/a
g.. Compromises security settings: n/a
Distribution

a.. Subject of email: n/a
b.. Name of attachment: n/a
c.. Size of attachment: n/a
d.. Time stamp of attachment: n/a
e.. Ports: TCP 445, 5554, 9996
f.. Shared drives: n/a
g.. Target of infection: Unpatched systems vulnerable to LSASS exploit - MS04-011.


When W32.Sasser.Worm runs, it does the following:

1.. Attempts to create a mutex named Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.


2.. Copies itself as %Windir%\avserve.exe.


------------------------------------------------------
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
------------------------------------------------------


3.. Adds the value:

"avserve.exe"="%Windir%\avserve.exe"

to the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

so that the worm runs when you start Windows.


4.. Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.


5.. Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.


6.. Retrieves the IP addresses of the infected computer, using the Windows API, gethostbyname.


------------------------------------------------------
Note: The worm will ignore any of the following IP addresses:

a.. 127.0.0.1
b.. 10.x.x.x
c.. 172.16.x.x - 172.31.x.x (inclusive)
d.. 192.168.x.x
e.. 169.254.x.x
----------------------------------------------------


7.. Generates another IP address, based on one of the IP addresses retrieved from the infected computer.

a.. 25% of the time, the last two octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 6, C and D will be random.
b.. 23% of the time, the last three octets of the IP address are changed to random numbers. For example, if A.B.C.D is the IP address retrieved in step 6, B, C, and D will be random.
c.. 52% of the time, the IP address is completely random.


----------------------------------------------------
Notes:
d.. Because the worm creates a completely random addresses 52% of the time, any IP address can be infected, including those ignored in step 6.
e.. This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.
----------------------------------------------------


8.. Connects to the generated IP address on TCP port 445 to determine if a remote computer is online.


9.. If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.


10.. Uses the shell on the remote computer to reconnect to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.


11.. The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in one minute.


12.. Creates a file at C:\win.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.


Symantec Gateway Security 5400 Series and Symantec Gateway Security v1.0
a.. Antivirus component: An update for the Symantec Gateway Security AntiVirus engine to protect against the W32.Sasser.Worm is now available. We advise Symantec Gateway Security 5000 Series users to run LiveUpdate.
b.. IDS/IPS component: A signature for the Symantec Gateway Security 5400 Series that detects attacks against the Microsoft LSASS vulnerability was included in SU 8 released on April 14. A signature to detect the attacks against the Microsoft LSASS vulnerability on SGS v1.0 has been released. We advise Symantec Gateway Security 5000 Series users to run LiveUpdate.
c.. Full application inspection firewall component: By default, Symantec's full application inspection firewall technology protects against the W32.Sasser.Worm by blocking attackers from accessing TCP/445, and the backdoor ports on infected systems (TCP/5554, TCP/9996). We urge Administrators to verify that their security policies do not allow inbound traffic to those ports.

Symantec Enterprise Firewall 8.0
By default, Symantec's full application inspection firewall technology protects against the W32.Sasser.Worm by blocking attackers from accessing TCP/445, and the backdoor ports on infected systems (TCP/5554, TCP/9996). We urge Administrators to verify that their security policies do not allow inbound traffic to those ports.

Symantec Enterprise Firewall 7.0.x and Symantec VelociRaptor 1.5
By default, Symantec's full application inspection firewall technology protects against the W32.Sasser.Worm by blocking attackers from accessing TCP/445, and the backdoor ports on infected systems (TCP/5554, TCP/9996). We urge Administrators to verify that their security policies do not allow inbound traffic to those ports.

Symantec Clientless VPN Gateway 4400 Series
This threat does not affect Symantec Clientless VPN Gateway v5.0. By default, the security gateway blocks access to TCP ports 445, 5554, and 9996.

Symantec Gateway Security 300 Series
By default, Symantec's stateful inspection firewall technology prevents an attacker from accessing TCP/445 on internal systems and the backdoor ports on infected systems (TCP 5554, 9996). We urge Administrators to verify that their security policy does not allow TCP/445, TCP/5554, TCP/9996 inbound and to use the AVpe feature of the SGS 300 series to make sure that all their antivirus clients are up-to-date with the most current virus definitions.

Symantec Firewall/VPN 100/200 Series
By default, Symantec's stateful inspection firewall technology prevents an attacker from accessing TCP/445 on internal systems and the backdoor ports on infected systems (TCP/5554, TCP/9996).

Symantec Client Security
Symantec has released a patch for Symantec Client Security 1.x and 2.0 that will identify the LSASS exploit with the MS_Windows_LSASS_RPC_DS_Request signature present in the infection attempt. If the Sasser worm application already exists on the system, all versions of Symantec Client Security with the default firewall policy will prompt the user to Permit/Block/Configure a rule for the worm when it tries to start the FTP server and send outbound data.

Virus definitions that provide protection against the worm are available through LiveUpdate or Intelligent Updater as of May 1, 2004.




Symantec Security Response offers these suggestions on how to configure Symantec products in order to minimize your exposure to this threat.






Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

a.. Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
b.. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
c.. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
d.. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
e.. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
f.. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
g.. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.


Before you begin:
If you are running Windows 2000 or XP, and have not yet done so, you must patch for the vulnerability described in Microsoft Security Bulletin MS04-011. If you do not, it is likely that your computer will continue to be reinfected.

What to do if the computer shuts down before you can patch or get the tool
This threat can cause Windows to keep shutting down and restarting. This can prevent you from installing the Microsoft patch or downloading the tool described below.


------------------------------------------------------
Notes:
a.. You may have to try this several times, as you only have about 20 seconds to do steps 3 to 6.
b.. This will not work on Windows 2000.
------------------------------------------------------


To prevent the shut down, do the following:

1.. Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.)
2.. Restart the computer.
3.. As soon as Windows opens and you see the Windows desktop, click Start Run.
4.. Type:

cmd

and press Enter.


5.. Type:

shutdown -i

and press Enter.


6.. In the Remote Shutdown Dialog that opens, do the following:

1.. Click Add, type your computer name into the Add Computers dialog box, and then click OK.
2.. In the "Display warning for" field, type 9999.
3.. Type the following text in the Comment box:

Delay Lsass.exe shutdown.


4.. Click OK.


7.. Reconnect the network/Internet connection.
8.. Connect to the Internet, and get the patch. Then continue with the steps described below.

When you have patched your computer and removed the threat, you can re-enable the 20 second default warning if you wish.


Removal using the W32.Sasser Removal Tool
Symantec Security Response has developed a removal tool to clean the infections of W32.Sasser.Worm. Use this tool first, as it is the easiest way to remove this threat.

Manual Removal
The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1.. End the malicious process (Windows NT/2000/XP).
2.. Disable System Restore (Windows XP).
3.. Update the virus definitions.
4.. Run a full system scan and delete all the files detected as W32.Sasser.Worm.
5.. Reverse the change made to the registry.

For details on each of these steps, read the following instructions.

1. To end the malicious process
On Windows NT/2000/XP computers, you must first end the malicious process. Follow these instructions:
1.. Press Ctrl+Alt+Delete once.
2.. Click Task Manager.
3.. Click the Processes tab.
4.. Double-click the Image Name column header to alphabetically sort the processes.
5.. Scroll through the list and look for the following processes:
a.. avserve.exe
b.. any process with a name consisting of four or five digits, followed by _up.exe (for example, 74354_up.exe).
6.. If you find any such process, click it, and then click End Process.
7.. Exit the Task Manager.

2. To disable System Restore (Windows XP)
If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

For instructions on how to turn off System Restore, read your Windows documentation, or "How to turn off or turn on Windows XP System Restore"

--------------------------------------------------------
Note: When you are completely finished with the removal procedure and are satisfied that the threat has been removed, re-enable System Restore by following the instructions in the aforementioned documents.
--------------------------------------------------------

3. To update the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:

a.. Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
b.. Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

4. To scan for and delete the infected files
1.. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
a.. For Norton AntiVirus consumer products: Read the document, "How to configure Norton AntiVirus to scan all files."
b.. For Symantec AntiVirus Enterprise products: Read the document, "How to verify that a Symantec Corporate antivirus product is set to scan all files."
2.. Run a full system scan.
3.. If any files are detected as infected with W32.Sasser.Worm, click Delete.

5. To reverse the change made to the registry


--------------------------------------------------------
WARNING: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry," for instructions.
--------------------------------------------------------

1.. Click Start, and then click Run. (The Run dialog box appears.)
2.. Type regedit

Then click OK. (The Registry Editor opens.)


3.. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run


4.. In the right pane, delete the value:

"avserve.exe"="%Windir%\avserve.exe"


5.. Exit the Registry Editor.





Revision History:


a.. May 26, 2004: Added link to document with information about LSASS related traffic.
b.. May 16, 2004. Updated Step 6 of "What to do if the computer shuts down before you can patch or get the tool" for clarity.
c.. May 12, 2004: Downgraded from Category 3 to Category 2 based on decreased rate of submissions.
d.. May 3, 2004:
a.. Updated alias information.
b.. Added Symantec Product Information.
e.. May 1, 2004:
a.. Upgraded to Category 3, based on an increased submission rate.
b.. Included link to removal tool.



Write-up by: Takayoshi Nakayama and Fergal Ladley








--
----------------------------------------------------------
http://www.uscricket.com
"kiadau" wrote in message ...
I posted yesterday but so far no answers. Maybe my post is too confusing.
Will try to clarify:

I am trying to find answers to a problem and to find whether the problem is
connected to downloading Service Pack 2 or if it connected to something else.

It began when I went to a site I visit daily and have no problems accessing
normally. However this time got a message that I was unable to connect to
server. It said that it is possible that I might 1) not be connected to the
internet - which I was, 2) not signed in - which I was and 3) had stale file
in my cache. This last I did not know what it meant so I came over to the
microsoft site to look up what that meant. Several files or articles talked
about updating service packs and since I had not done that yet with this new
XP I d/l service pack 2. It auto installed.

At some point during the night though I cannot recall if it was before or
after this d/l, I got a request from my firewall for LSA shell (export
version) to access the internet. Since I had never encountered this before
and did not know what LSA shell was, I denied access.

I put LSA shell into the microsoft search engine and came up with articles
telling me that it was a worm. I immediately updated my virus definitions and
did a scan of the system. It came back that there was no infection. A search
of my computer does show lsass.exe application in c:\windows\system32 as well
as the doc and settings folder (temp internet folder) sasser, sasser1,
sasser2 and another file with the same 'address' 199.239.233.2 calling itself
'virus removal utilities by
online...' I also went to my virus scan site to find out what the sasser
worm does and there was no information on it at the site.

I do not know why the anti virus program did not find these, nor do I know
if they are connected to the Service Pack d/l or to something else and if the
stale file in cache is connected in some way to all of this. Can any one help
me?

dazed and confused here.

Thank you David for all the info. While I updated my live update and got the
latest definitions and ran a full system scan, the results did not come back
as possitive for the sasser worm. I do however know that there are files on
my system which are sasser files. Is it possible that because I denied access
through my firewall it did not trigger the worm? Why wouldn't the virus scan
show that I was infected? Symantec has been very uncooperative and I am
unable to get information from them as to whether the systemworks version I
have is working properly.

I will however, look for those file and delete them as noted below in your
info

K

"David Candy" wrote:

There's lots of varients.


W32.Sasser.Worm
Discovered on: April 30, 2004
Last Updated on: July 27, 2004 11:20:39 AM
Also Known As: W32/Sasser.worm.a [McAfee],
WORM_SASSER.A [Trend], Worm.Win32.Sasser.a [Kaspersky], W32/Sasser-A
[Sophos], Win32.Sasser.A [Computer Associates], Sasser [F-Secure],
W32/Sasser.A.worm [Panda]

Type: Worm
Infection Length: 15,872 bytes

That's for the first sasser. There are lots of sasser (type it in =
symantec's site). Programs like this tend to interfere with AV programs. =
I've not ever caught sasser so I don't know it well. I posted that page =
(and deleted 50000 images from it) because viruses tend to block AV =
companies web sites.

Plus sasser is not the only lsa thingy.

Ensure you are sasser free first.=20

http://www.sarc.com/search/
This is norton's site. Just type sasser. Norton tends to have the best =
descriptions but a lousy search engine (it finds the same pages over and =
over again).
--=20
----------------------------------------------------------
http://www.uscricket.com
"kiadau" wrote in message =
...
Thank you David for all the info. While I updated my live update and =
got the=20
latest definitions and ran a full system scan, the results did not =
come back=20
as possitive for the sasser worm. I do however know that there are =
files on=20
my system which are sasser files. Is it possible that because I denied =
access=20
through my firewall it did not trigger the worm? Why wouldn't the =
virus scan=20
show that I was infected? Symantec has been very uncooperative and I =
am=20
unable to get information from them as to whether the systemworks =
version I=20
have is working properly.
=20
I will however, look for those file and delete them as noted below in =
your=20
info
=20
K
=20
"David Candy" wrote:
=20
There's lots of varients.
=20
=20
W32.Sasser.Worm =20
Discovered on: April 30, 2004 =20
Last Updated on: July 27, 2004 11:20:39 =
AM=20
Also Known As: W32/Sasser.worm.a =
[McAfee],=20
WORM_SASSER.A [Trend], Worm.Win32.Sasser.a [Kaspersky], W32/Sasser-A=20
[Sophos], Win32.Sasser.A [Computer Associates], Sasser [F-Secure],=20
W32/Sasser.A.worm [Panda]=20
=20
Type: Worm=20
Infection Length: 15,872 bytes=20

I run a computer repair out of my home, specializing in AV and spyware. i
fix many machines that were running symantec. not a knock on the company,
just my personal experience.

I recommend going to pandasoftware.com and running their free active scan
for a second opinion. Of course, this free scan seems to find many things,
and offers to sell you a full version, but it does remove some viruses that
have concealed themselves from other products.

another thing you might try is go to free.grisoft.com, install AVG Free
edition, update your defs, then boot into safe mode and do a full scan from
there. If it finds something and cleans it, you will need to either remove
it, or remove symantec, as they conflict with one another. AVG will
quarantine a file, then Symantec will quarantine the AVG quarantine, over and
over and over, so decide which to use and remove the other.

Also don't forget that System Restore might be holding the infection, so you
should consider turning off system restore before running your scan (that's
symantec standard advice, not mine, but i have seen this work personally.

Last bit of advice, I have repaired many computers running a third party
firewall, and have found that sometimes the firewall is broken, and needed to
be removed or repaired before normal operations could be restored after a
cleanup.

"David Candy" wrote:

That's for the first sasser. There are lots of sasser (type it in symantec's site). Programs like this tend to interfere with AV programs. I've not ever caught sasser so I don't know it well. I posted that page (and deleted 50000 images from it) because viruses tend to block AV companies web sites.

Plus sasser is not the only lsa thingy.

Ensure you are sasser free first.

http://www.sarc.com/search/
This is norton's site. Just type sasser. Norton tends to have the best descriptions but a lousy search engine (it finds the same pages over and over again).
--
----------------------------------------------------------
http://www.uscricket.com
"kiadau" wrote in message ...
Thank you David for all the info. While I updated my live update and got the
latest definitions and ran a full system scan, the results did not come back
as possitive for the sasser worm. I do however know that there are files on
my system which are sasser files. Is it possible that because I denied access
through my firewall it did not trigger the worm? Why wouldn't the virus scan
show that I was infected? Symantec has been very uncooperative and I am
unable to get information from them as to whether the systemworks version I
have is working properly.

I will however, look for those file and delete them as noted below in your
info

K

"David Candy" wrote:

There's lots of varients.


W32.Sasser.Worm
Discovered on: April 30, 2004
Last Updated on: July 27, 2004 11:20:39 AM
Also Known As: W32/Sasser.worm.a [McAfee],
WORM_SASSER.A [Trend], Worm.Win32.Sasser.a [Kaspersky], W32/Sasser-A
[Sophos], Win32.Sasser.A [Computer Associates], Sasser [F-Secure],
W32/Sasser.A.worm [Panda]

Type: Worm
Infection Length: 15,872 bytes

Why are you replying to a post from Nov 22 2004, 9:23 pm?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In ,
Bill hunted and pecked:
I run a computer repair out of my home, specializing in AV and spyware. i
fix many machines that were running symantec. not a knock on the company,
just my personal experience.

I recommend going to pandasoftware.com and running their free active scan
for a second opinion. Of course, this free scan seems to find many
things, and offers to sell you a full version, but it does remove some
viruses that have concealed themselves from other products.

another thing you might try is go to free.grisoft.com, install AVG Free
edition, update your defs, then boot into safe mode and do a full scan
from there. If it finds something and cleans it, you will need to either
remove it, or remove symantec, as they conflict with one another. AVG
will quarantine a file, then Symantec will quarantine the AVG quarantine,
over and over and over, so decide which to use and remove the other.

Also don't forget that System Restore might be holding the infection, so
you should consider turning off system restore before running your scan
(that's symantec standard advice, not mine, but i have seen this work
personally.

Last bit of advice, I have repaired many computers running a third party
firewall, and have found that sometimes the firewall is broken, and
needed to be removed or repaired before normal operations could be
restored after a cleanup.

"David Candy" wrote:

That's for the first sasser. There are lots of sasser (type it in
symantec's site). Programs like this tend to interfere with AV programs.
I've not ever caught sasser so I don't know it well. I posted that page
(and deleted 50000 images from it) because viruses tend to block AV
companies web sites.

Plus sasser is not the only lsa thingy.

Ensure you are sasser free first.

http://www.sarc.com/search/
This is norton's site. Just type sasser. Norton tends to have the best
descriptions but a lousy search engine (it finds the same pages over and
over again). --
----------------------------------------------------------
http://www.uscricket.com
"kiadau" wrote in message
...
Thank you David for all the info. While I updated my live update and
got the latest definitions and ran a full system scan, the results did
not come back as possitive for the sasser worm. I do however know that
there are files on my system which are sasser files. Is it possible
that because I denied access through my firewall it did not trigger the
worm? Why wouldn't the virus scan show that I was infected? Symantec
has been very uncooperative and I am unable to get information from
them as to whether the systemworks version I have is working properly.

I will however, look for those file and delete them as noted below in
your info

K

"David Candy" wrote:

There's lots of varients.


W32.Sasser.Worm
Discovered on: April 30, 2004
Last Updated on: July 27, 2004 11:20:39
AM
Also Known As: W32/Sasser.worm.a
[McAfee], WORM_SASSER.A [Trend], Worm.Win32.Sasser.a [Kaspersky],
W32/Sasser-A [Sophos], Win32.Sasser.A [Computer Associates], Sasser
[F-Secure], W32/Sasser.A.worm [Panda]

Type: Worm
Infection Length: 15,872 bytes

Because he felt like "bragging" and giving himself a free plug?

Honu

"Wesley Vogel" wrote in message
...
Why are you replying to a post from Nov 22 2004, 9:23 pm?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In ,
Bill hunted and pecked:
I run a computer repair out of my home, specializing in AV and spyware.
i
fix many machines that were running symantec. not a knock on the
company,
just my personal experience.

I recommend going to pandasoftware.com and running their free active scan
for a second opinion. Of course, this free scan seems to find many
things, and offers to sell you a full version, but it does remove some
viruses that have concealed themselves from other products.

another thing you might try is go to free.grisoft.com, install AVG Free
edition, update your defs, then boot into safe mode and do a full scan
from there. If it finds something and cleans it, you will need to either
remove it, or remove symantec, as they conflict with one another. AVG
will quarantine a file, then Symantec will quarantine the AVG quarantine,
over and over and over, so decide which to use and remove the other.

Also don't forget that System Restore might be holding the infection, so
you should consider turning off system restore before running your scan
(that's symantec standard advice, not mine, but i have seen this work
personally.

Last bit of advice, I have repaired many computers running a third party
firewall, and have found that sometimes the firewall is broken, and
needed to be removed or repaired before normal operations could be
restored after a cleanup.

"David Candy" wrote:

That's for the first sasser. There are lots of sasser (type it in
symantec's site). Programs like this tend to interfere with AV programs.
I've not ever caught sasser so I don't know it well. I posted that page
(and deleted 50000 images from it) because viruses tend to block AV
companies web sites.

Plus sasser is not the only lsa thingy.

Ensure you are sasser free first.

http://www.sarc.com/search/
This is norton's site. Just type sasser. Norton tends to have the best
descriptions but a lousy search engine (it finds the same pages over and
over again). --
----------------------------------------------------------
http://www.uscricket.com
"kiadau" wrote in message
...
Thank you David for all the info. While I updated my live update and
got the latest definitions and ran a full system scan, the results did
not come back as possitive for the sasser worm. I do however know that
there are files on my system which are sasser files. Is it possible
that because I denied access through my firewall it did not trigger the
worm? Why wouldn't the virus scan show that I was infected? Symantec
has been very uncooperative and I am unable to get information from
them as to whether the systemworks version I have is working properly.

I will however, look for those file and delete them as noted below in
your info

K

"David Candy" wrote:

There's lots of varients.


W32.Sasser.Worm
Discovered on: April 30, 2004
Last Updated on: July 27, 2004 11:20:39
AM
Also Known As: W32/Sasser.worm.a
[McAfee], WORM_SASSER.A [Trend], Worm.Win32.Sasser.a [Kaspersky],
W32/Sasser-A [Sophos], Win32.Sasser.A [Computer Associates], Sasser
[F-Secure], W32/Sasser.A.worm [Panda]

Type: Worm
Infection Length: 15,872 bytes

As a good an answer as any. ;-)

I didn't realize that my post was 5KB and included the whole original post.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In ,
Hertz_Donut hunted and pecked:
Because he felt like "bragging" and giving himself a free plug?

Honu

"Wesley Vogel" wrote in message
...
Why are you replying to a post from Nov 22 2004, 9:23 pm?

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

snip