Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Sasser Worm and Variants Spreading Rapidly - Help 9

Status
Not open for further replies.
bcastner

bcastner

IS-IT--Management
Aug 13, 2002
29,271
US
Let me *bump* this notice.

My morning paper (4-04-2004) described over a million+ workstations dropped by this worm yesterday alone.

The diagnostic, removal and Security Hotfixes for the description, removal and prevention of this worm should be taken very seriously by all. The morning paper quoted a large ISP "It is worse than blaster. Our test machines are infected in less than 10 minutes if unprotected by a firewall on an internet connection."
 
Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13"

Which means that you get your updates from MS just to be busted 2 weeks later...


YOUR COMPUTER WILL SHUT DOWN AFTER YOU READ THIS MESSAGE!

(Just kidding...)
 
I just attended a Security Webcast by Microsoft, and my scribbled notes I hope can help:

. over 10.5 million workstations now affected

. Sasser is now on version G, (wait an hour, it likely will be higher). Microsoft is maintaining a constantly updated discovery, removal and Hotfix repair site at:


This site can be very busy, wait..... you should get connected. Or try again several times. It has late breaking news on detection and removal.

. My own question was "I am behind a NAT firewall, am I safe?" Essentially the answer is that if your NAT denies access to port 445, you are fine. But, many sites have laptop, notebook or portable users that when they connect, and if infected (very good likeliehood at present), then the Sasser worm will spread within 180 seconds inside the NAT firewall. Apply the Security Hotfix on all computers. Run the diagnostic/removal tool from
. What can I do to remove the issue if infected?

See
. What can I do to prevent being infected?

Microsoft is all over this issue. Check frequently at the site: If you have applied the MS-04-011 Security Hotfix, you are fine.

Do not mess around with this worm. This is currently a very serious issue, and run the MS diagnostic, apply the Hotfix Security patch, and if possible block port 445.
 
Quick point: for those running Windows XP, if you don't have any third party firewall software, activating the in built firewall on your internet connection will stop it getting infected. Go to Start -> Network and Dialup Connections and check for a little padlock icon on dialup or broadband internet connections.
If not, right click the connection, properties, Advanced tab and tick "Protect my computer and network..." (the top box). Do this before going online.

John
 
Win9x will not be affected in terms of operations if infected, but will serve as a sasser worm distribution point.

WinNT - Win2k - WinXP can all expect issues if infected, and also can serve as sasser worm distribution points for the worm.

Your firewall (NAT router or firewall applicance) is not protection if any client (dial-up, laptop) is introduced behind the router or firewall.

Essentially, patch with MS 04-011. If in doubt, run the detection and removal tool from
 
Good point bcastner, I should have mentioned it will only protect under certain circumstances.

John
 
jbarnett,

I listened to this Microsoft Webcast this morning on Sasser, and I was stunned by the comments from quite large systems who believed:

. NAT was enough
. Win9x is not an issue. (It will not crash Win9x, but Win9x workstations are perfectly happy to be clients for the worm)

. "I have XXXXX software firewall. How in heck did I get infected." You can replace XXXX with many well known third-party firewall products. If port 445 TCP/UDP is blocked, you cannot (currently) be infected with Sasser. But,]/b] do not forgot laptop and/or dial-up, and/or wireless users. One guy coming back with his notebook from the local Starbucks and reconnects can drop, and I quote, "3,672 workstations within three minutes."

 
And people made fun of me because I install Critical Updates on all systems within a week of release.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Lander215,

I still make fun of you for that practice of immediately using the Windows Update Hotfixes. (Just kidding)

My rule is:

. Security Hotfixes (what Microsoft notes as Critical OS Hotfixes) I do without question.
. Everything else is questionable.

And a personal note: you are a heckuva Tek-Tip Forum member. Noted and appreciated.

Best,
Bill Castner


 
LOL! Ok, I have to admit, when I roll into my seat on the first Tuesday of each month, I just hit the approve all and let my users test out the fixes for me, job security and all ya know. ;-)

Thanks for the rest, I amble along quietly, helping where I can.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Second Tuesday of each month.
May 11th should be interesting. MS 04-011 last month was interesting as it:

. for some Win2k machines, brought them to their knees. (Remember the original Q811349 for XP?) The intersting thing is the often several times a day changes to MS KB for ms 04-011. A Win2k user should visit the KB often, the XP user semi-regularly: I have never seen a KB article change this often. Amazing.

. the first Windows hotfix that proved an early concern about prospective security Hotfixes: if you identify an obscure security issue, does that not give the worm/virus writer an open opportunity to many users? Apparently it does create a rich setting for worm authors.

Go figure.
 
Kind of like pointing out, in every major newspaper, that banks have a special backdoor that is unlocked every day at 1:15:45pm.

Gee, wonder where the robbers will be at about that time?



I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
2ffat,

I included a general link in the first post that included the Sophos removal tool.

What I recommend currently is to use the Microosft site:
http:\\
for the serious techie: http:\\
I have seen the first link above update every five minutes, as Sasser passes from A -- G in variants.
 
At the risk of exposing my own ignorance I must ask, what is the significance of the comment posted at the end of 2ffat's post of 5/4 which reads: THERE'S NO PLACE LIKE 127.0.0.1 ???

Curiosity killed the cat so I pinged the address. It works. So I ran tracert on it and it comes back PDQ with one hop to Local Host. So where is 127.0.0.1?

My brains ache!
 
DWalrus,

It is a geek joke, and a cute one.
The Internet Assigned Numbers Authority (IANA) has reserved several addresses that should never appear on the internet. One is an unambiguous reference to the physical computer that hosts an IP address, 127.0.0.1. It is the loopback, localhost, or Home address for a network interface device.

So just as Dorothy clicked her heels chanting "There is no place like home. There is no place like home" to return to Kansas at the end of the Wizard of Oz movie, leave it to the Geeks with a good sense of humor to write the expression you saw.

It would have been better to use the "route of last resort" you always have in your routing table (Start, Run, cmd, route print) but I guess just like Home it is not always the route of last resort.

 
Last *bump* as it is spreading very fast and very widely.

If you notice an LSASS shutdown error, very slow booting, or other issues the site below offers a very quick online scan for the worm, as well as other utilities and resources. Click the little panel to do an online test of your system:

The Microsoft site for sasser news, scanning tool, removal tool, and Security Hotfix:
 
Status
Not open for further replies.

Similar threads

Flinx
  • Locked
  • Question
backup fails with error code 0x81000019 and possible fix 1
Replies
5
Views
2K
Flinx
Flinx
Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
2K
Flinx
Flinx
hikermann
  • Locked
  • Question
WordPerfect 12 and Windows 10 Fighting
Replies
1
Views
333
Mike Lewis
Mike Lewis
RonL2
  • Locked
  • Question
win 7 Chrome and Opera
Replies
4
Views
436
Mike Lewis
Mike Lewis
TomSalvato
  • Locked
  • Question
Help with a DOS command that isn't working for me
Replies
7
Views
504
Professor Shadow
Professor Shadow

Part and Inventory Search

Sponsor

Back
Top