Try creating a read-only file named %windir%\debug\dcpromo.log According
to Microsoft, write access to this file has been essential for other
versions of Sasser, at least for propagation.
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Steve Bogdanski
Sent: Thursday, May 06, 2004 6:03 PM
To: [log in to unmask]
Subject: Re: [MSUNAG] Possible Sasser worm variants?
Tim,
Today a user brought in his personal laptop and one of our techs ran
multiple Sasser removal tools on the laptop to no avail. After looking over
it some I noticed what was going on. The laptop had been compromised using
a newer version of Gaobot/Phatbot worm which can exploit the LSASS
vulnerability. The Sasser removal tools would get rid of the running
version of the Sasser worm, but upon reboot it would be back again. This is
because at least two additional services had been installed, in my case they
were
c:\windows\system32\system.exe
c:\windows\system32\ntmsdata\windows\svchost.exe (This folder held the
original files from the attack)
When the system rebooted one of these two services seem to start up Sasser
again by pulling a copy from "c:\windows\system32\ntmsdata\windows". The
reason this original version wasn't getting snagged by the Sasser removal
tool was because the permissions to the folder had been removed.
After restoring the permissions for SYSTEM and Administrators, I was able to
remove Sasser and the users A/V was able to get rid of everything else. I
then removed the folder that was added by the attack. Sorry for the long
email, but I hope it's useful.
________________________________________________
Stephen Bogdanski Network Support, MSU-CVM
Michigan State University [log in to unmask]
A227 VetMed Center Phone: (517) 353-5551
East Lansing, MI 48824 Fax: (517) 432-2937
>>> Tim Potter <[log in to unmask]> 05/05/04 11:10AM >>>
Has anyone had any Win 2000 machines become EXTREMELY sluggish due to one of
these worms (taking 10 min. or so for every single process, mouse click,
etc)? I've run the latest/ greatest removal tools from Symantec for
W32.Sasser.D and done a full scan from a good machine w/ the latest NAV
definitions (5/4) & come up with nothing. An ACNS help desk tech. was
confident that the Sasser worm was causing this sort of problem on other PCs
around campus, but I've only seen others here describe random reboots so
far.
Any thoughts or advice would be appreciated, Tim
**********************
Tim Potter <><
Information Officer
MSU Alumni Association
E. Lansing, MI 48824
Toll-free: 877/ MSU-ALUM (678-2586)
Ph: 517/432-1160
Fax: 517/432-7769
Stay Connected! www.msualum.com
|