# Sasser - Removal & Detection Tools (LSASS: shutdown, reboot)



## hewee (Oct 26, 2001)

Got this info from here.

http://www.dozleng.com/updates/index.php?showtopic=358&st=0&#entry1685

===========================================================

SASSER REMOVAL TOOLS

While I hope no one needs this, here are several tools and techniques for removing the Sasser worm. All of these tools are excellent. I prefer the Microsoft Removal Tool instructions (listed first), which includes the MS04-011 security patch required to avoid reinfections.

Microsoft Removal Tool
http://support.microsoft.com/?kbid=841720

McAfee Stinger
http://vil.nai.com/vil/stinger/

Symantec Removal Tools
http://www.symantec.com/avcenter/venc/data...moval.tool.html

F-Secure Removal Tools
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.

Trend Micro Removal Tools
http://www.trendmicro.com/download/dcs.asp

Microsoft - Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot.

Steps from Microsoft's site (includes test button and tools):
http://www.microsoft.com/security/incident/sasser.asp

Manual Removal steps for Technical Users
http://www.microsoft.com/technet/Security/alerts/sasser.mspx

NETWORK LSASS SCANNING TOOLS

eEye offers free scanning network tool -- As a service to the network security community, eEye has announced the availability of a free tool to scan network computers and detect if any are vulnerable to the "Sasser.A" worm currently circulating worldwide. The tool allows administrators to quickly identify vulnerable workstations that do not contain the patch required to protect from the attack, and it provides information on where to locate the patch made available from Microsoft.

Download the FREE Retina Sasser Audit Tool here:
http://www.eeye.com/html/Research/Tools/Do...le=RetinaSasser

This free tool from Foundstone identifies workstations with unpatched MS04-011 LSASS vulnerabilities.

Foundstone DSSCAN tool
http://www.foundstone.com/resources/proddesc/dsscan.htm


----------



## hewee (Oct 26, 2001)

More info from http://www.dozleng.com/updates/index.php?showtopic=360

Sasser.D can run on but not infect Windows 95, 98, and ME PCs
http://www.sarc.com/avcenter/venc/data/w32.sasser.d.html

W32.Sasser.D.Worm can run on (but not infect) Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable systems that they are able to connect to. Firewall port blocking is the best defense to keep these systems from generating unnecessary network traffic.

----------------------------------------------------------

Analysis of Windows 9x and ME impacts

The bottom line is that there are none other than someone copying the actual infected code to a Windows 98 PC and launching it.

Symantec retracted this on the "D" variant as it's now found on the "A", "B", and "C" variants. Other AV vendors aren't reporting this but I've affirmed the potential with McAfee. Thankfully it is a REMOTE and potentially RARE issue. smile.gif

While Sasser can run on W/9x as a Win32 process, it must be MANUALLY copied by the user. So far I'm not aware of any automatic injections of the Sasser worm Win32 code as a "process" into W/9x workstations.

This is most likely a minor issue, and the threads here if there is any "Sasser and W/9x impacts" news

http://www.symantec.com/avcenter/venc/data...asser.worm.html
http://www.symantec.com/avcenter/venc/data...ser.b.worm.html
http://www.symantec.com/avcenter/venc/data...ser.c.worm.html

W32.Sasser.C.Worm can run on (but not infect) Windows 95/98/Me computers. Although these operating systems cannot be infected, they can still be used to infect vulnerable systems that they are able to connect to. In this case, the worm will waste a lot of resources so that programs cannot run properly, including our removal tool. (On Windows 95/98/Me computers, the tool should be run in Safe mode.)


----------



## Harvoy (May 25, 2004)

I'm a relative newbie to all this, and still pretty niave about the internet, I think. I've recently done a clean reinstall of XP pro, caused by psyme wrecking my old h/d, which i replaced.
I have F-secure Internet Security installed now.
In task manager i see LSAS.exe and others of a similar name ruuning as processes, does this mean i have the virus?
feel free to mail me [email protected]
Ta,


----------



## hewee (Oct 26, 2001)

Sounds like you may have it so better clean it up with one of the Removal Tools.


----------



## monkeyj (Aug 2, 2003)

I love Ad-Aware, It found the Sasser For me... and I deleted it that way...
I've even run the Sasser removal tool by Microsoft, and it said. "Sasser not detected." 
Ad-aware is the best.


----------



## hewee (Oct 26, 2001)

Great to hear monkeyj.


----------



## Zydec (Jun 15, 2004)

Hi,

I have a 2000 server running that has become infected with the Sasser virus.
I have read on the internet that there are various patches and removal tools that are available to fix this, however this causes me one huge problem....

To run these utils you need to be able to get into the computer!, when I start my computer is states that lsass.exe has given some error and then goes into the forced shutdown and reboots!!.

Can anyone help me out here, I'm surely not the only person in the world that has had this problem ??

Thanks


----------



## hewee (Oct 26, 2001)

Zydec,

Welcome to TSG 

Post a hijackthis log and some that knows more should be able to help you out.

Please start a new thread on it.


----------



## memyselfi (Jun 16, 2004)

Hi Zydec,

As soon as you receive the coundown that your server is about to be rebooted, change the date to a day before (today's date) on the affected server.

This will then give you one day before the countdown reboots the server so you should have enough time to install the patches.

Hope this helps.


----------



## Zydec (Jun 15, 2004)

Hi,

Thanks for the information.
Sorry to be thick but was is a hijackthis log ???. sorry to sound stupid but I am new to this.

Thanks


----------



## foxfire (Jan 14, 2003)

Hi Zydec, Please read the Sticky by Rollin Rog at top of this forum,scroll down to "HiJackthis download" follow the instructions carefully & post your log (Start a new thread) & wait for advice.#

Foxfire.


----------



## hewee (Oct 26, 2001)

Also read " Tutorials on various security tools, How to use Spybot, AdAware etc. "
http://www.dozleng.com/updates/index.php?showtopic=270

No one is stupid. Your just learning.


----------

