Sasser worm trouble on a WinXP system.
May 3, 2004 1:47 PM   Subscribe

Sasser worm trouble. A friend's WinXP system was compromised, I was asked to disinfect it, and it's not behaving by the rules! [more inside]

OK, the sequence of events:

- She reports random booting, weird messages, etc. She's running GRISoft's antivirus, which reports that it's found Sasser.B, but is unable to remove it.

- The hosts file has been corrupted to stop me from getting to any antivirus sites, so I fix that, delete several copies of avserve2 from the task list, go to the Microsoft site and download and install the latest updates, then download and run their sasser worm removal utility. The utility says that no sasser worm was found.

- I go to Norton's site, get their sasser removal utilty, and run it. It reports that there's no sasser worm.

- I find a technical description of the worm (including the registry keys it adds/modifies), and delete them. Can't find anything else suspicious in the "Run" registry categories.

At this point, here are the symptoms I'm getting:

1) At boot, a message that the data at address '00000004'x could not be read. This is from the GRISoft code. Click OK, and everything seems fine.

2) Also at boot, the hosts file is again modified to add microsoft.com and all of the antivirus sites.

3) GRISoft reports that no viruses are found

Can anybody think of what I might try next? I'm lost.
posted by Daddio to Computers & Internet (11 answers total)
 
Did you try looking at Microsoft's removal instructions? (can't believe that I'm saying that).
posted by Dean_Paxton at 1:53 PM on May 3, 2004


wait a day or two? maybe you've got a mutant that will be covered in the next release of the tools?
posted by andrew cooke at 1:55 PM on May 3, 2004


Waiting is the hardest part. I had it last week. I was getting the NTA Authority Shutdown pop-up every 15 minutes or so. I installed all of the windows critical updates, and rebooted. For the next few hours, I got a few more NTA pop-ups, but I went to Run and typed in shutdown -a to stop them from executing. After a few hours, the pop-ups, which were obviously timed in advance, stopped, and I haven't had another one since.

I did find one forum thread with some great advice on it - it was the only thread of its kind last week, where all of the people on it realized that they were dealing with something that wasn't either the Blaster worm or the Welchia worm; they were speculating whether or not they were the first to discover this new variant - apparently they were. I'll look for it when I get home later.
posted by iconomy at 2:16 PM on May 3, 2004


Or, I'll look for it now...
posted by iconomy at 2:23 PM on May 3, 2004


Response by poster: Dean_Paxton: Yes, following Microsoft's "Check my PC for infection" link resulted in them telling me that the machine wasn't infected.
posted by Daddio at 2:36 PM on May 3, 2004


You're probably getting reinfected almost instantaneously. Remember, this is a worm. All you need to do is have an active network connection to get bitten. Make sure you do all of your clean up work in safemode with the ethernet cable physically disconnected from the computer. This is overkill, but it's a way to be definitely and completely sure. Reinfection explains why Norton, et al won't find anything weird, but you still see the symptoms later. That's just a theory, but it's one which I've been able to prove, at least against my own scrutiny.

Run a full Windows update, don't just install their recommended patches. You could be getting infected by something else. Make sure you follow the firewall step of Microsoft's removal instructions. Turn off system restore, make sure you've removed the worm executables from the recycle bin.

You're probably not infected with Sasser anymore. In fact, I'd almost guarantee it. Modifying the hosts file is not part of Sasser's profile, nor does it seem like behavior which can be attributed to any of the new strains. It might be some sort of spyware. If the computer is not restarting due to a lsass.exe crash, then it's not Sasser, but some other malicious code.

Sorry, I'm kind of scattered, I just spent eight hours at work disinfecting something like four dozen machines, and I'm a little scattered. Those are my general thoughts, hope they help.
posted by mmcg at 3:41 PM on May 3, 2004


Very scattered, apparently, as I directly contradict myself in that post. My apologies.
posted by mmcg at 3:43 PM on May 3, 2004


"W32.Gaobot" variants modifies the hosts file, among eighteen million other things; and it's making the rounds, too.
posted by Ethereal Bligh at 3:57 PM on May 3, 2004


Response by poster: Update: I had my friend use Trend Microsystem's "HouseCall" free virus scanner, and it found a bunch of files that it said were infected. She deleted them, and all seems well.

I may have to re-think the brand of antivirus I use.

By the way, I found the HouseCall site via iconomy's link. Thanks, Dude! (or Dudette, as the case may be).
posted by Daddio at 8:05 PM on May 3, 2004


I be a dudette. Glad to hear that your friend is disinfected, because the next step was taking out the hard drive and scrubbing it with Pine-sol ;)
posted by iconomy at 12:03 AM on May 4, 2004


Also, when getting rid of these things- you need to turn off system restore. (It's on a tab in system properties.) I learned this the hard way while trying to get rid of Trojan Rameh.b - I'd follow all the instructions and use all the tools, and the computer would be clean... then I would reboot, and it would be back again.

Turn off system restore, clean the mess up, reboot, and then you can turn it back on again. That may help. Good luck!
posted by headspace at 8:09 AM on May 4, 2004


« Older How do I share the internet from my desktop to my...   |   What's the advantage of owning stock with voting... Newer »
This thread is closed to new comments.