What
is Sasser.B Worm and How Did I Get It?
This worm spreads by exploiting a recent
Microsoft vulnerability, spreading from machine
to machine with no user intervention required.
This worm scans random IP addresses for
exploitable systems. When one is found, the worm
exploits the vulnerable system, by overflowing a
buffer in LSASS.EXE. It creates a remote shell
on TCP port 9996. Next it creates an FTP script
named cmd.ftp on the remote host and executes
it. This FTP script instructs the target victim
to download and execute the worm (with the
filename #_up.exe as aforementioned) from the
infected host. The infected host is accepts this
FTP traffic on TCP port 5554.
The worm spawns multiple threads, some of
which scan the local class A subnet, others the
class B subnet, and others completely random
subnets. The destination port is TCP 445.
The virus copies itself to the Windows
directory as avserve2.exe and
creates a registry run key to load itself at
startup
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "avserve2.exe" =
C:\WINDOWS\avserve2.exe
As the worm scans random ip addresses it
listens on successive TCP ports starting at
1068. It also acts as an FTP server on TCP port
5554, and creates a remote shell on TCP port
9996.
A file named win.log is
created on the root of the C: drive. This file
contains the IP address of the localhost.
Copies of the worm are created in the Windows
System directory as #_up.exe.
Examples
- c:\WINDOWS\system32\11583_up.exe
- c:\WINDOWS\system32\16913_up.exe
- c:\WINDOWS\system32\29739_up.exe
A side-effect of the worm is for LSASS.EXE to
crash, by default such system will reboot after
the crash occurs. The following Window may be
displayed:
How
to Remove Sasser.B Worm?
Kaspersky Internet Security Can Prevent You From Virus and Intrusion.
If Kaspersky detects Sasser.B during the
scan, it will AUTOMATICALLY offer you the option
of deleting it. Do this by following the
program's instructions.
Follow these steps
in removing the Sasser.B worm.
1. Disabling System Restore (Windows Me/XP)
For instructions on how to turn off System
Restore, read your Windows documentation, or one
of the following articles: "How
to disable or enable Windows Me/XP System Restore".
2. Updating the Virus Definitions
If you do not know which anti-virus software
can provide strong protection for you, Kaspersky Internet Security is recommended.
3. Reboot the system into Safe Mode (hit the
F8 key as soon as the Starting Windows
text is displayed, choose Safe Mode.
4. Delete the file AVSERVE2.EXE
from your WINDOWS directory (typically
c:\windows or c:\winnt)
5. Edit the registry
- Delete the "avserve2" value from
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
6.Reboot the system into Default Mode
7. Run a full system scan and delete all the
files detected as Sasser.B.
- Start your Kaspersky Internet Security and make sure that it is
configured to scan all the files.
- Run a full system scan.
- If any files are detected as infected with
Sasser.B,
click Delete.
How to Disinfect My Computer from Worms?
In order to keep your computer protected, bear
the following tips in mind:
- If you have filtering tools installed,
configure them to reject messages with the
characteristics described above. If, in spite
of doing this, you receive the message that
contains the virus: do not open it, do not run
the attached file and delete it, making sure
that you also delete it from the Deleted
Items folder.
- Install a good antivirus in your computer.
Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
- Keep your antivirus updated. If automatic
updates are available, configure your
antivirus to use them.
- Keep your permanent antivirus protection
enabled at all times.
Do
you think this website is useful? Help us to keep
the site growing.
Detect and Removal Instruction for Other
Worms - 'S':
| 
(If you can not see the issued comment, please enable your browser to support javascript and refresh this page.)