Try creating a read-only file named %windir%\debug\dcpromo.log According to Microsoft, write access to this file has been essential for other versions of Sasser, at least for propagation. -----Original Message----- From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Steve Bogdanski Sent: Thursday, May 06, 2004 6:03 PM To: [log in to unmask] Subject: Re: [MSUNAG] Possible Sasser worm variants? Tim, Today a user brought in his personal laptop and one of our techs ran multiple Sasser removal tools on the laptop to no avail. After looking over it some I noticed what was going on. The laptop had been compromised using a newer version of Gaobot/Phatbot worm which can exploit the LSASS vulnerability. The Sasser removal tools would get rid of the running version of the Sasser worm, but upon reboot it would be back again. This is because at least two additional services had been installed, in my case they were c:\windows\system32\system.exe c:\windows\system32\ntmsdata\windows\svchost.exe (This folder held the original files from the attack) When the system rebooted one of these two services seem to start up Sasser again by pulling a copy from "c:\windows\system32\ntmsdata\windows". The reason this original version wasn't getting snagged by the Sasser removal tool was because the permissions to the folder had been removed. After restoring the permissions for SYSTEM and Administrators, I was able to remove Sasser and the users A/V was able to get rid of everything else. I then removed the folder that was added by the attack. Sorry for the long email, but I hope it's useful. ________________________________________________ Stephen Bogdanski Network Support, MSU-CVM Michigan State University [log in to unmask] A227 VetMed Center Phone: (517) 353-5551 East Lansing, MI 48824 Fax: (517) 432-2937 >>> Tim Potter <[log in to unmask]> 05/05/04 11:10AM >>> Has anyone had any Win 2000 machines become EXTREMELY sluggish due to one of these worms (taking 10 min. or so for every single process, mouse click, etc)? I've run the latest/ greatest removal tools from Symantec for W32.Sasser.D and done a full scan from a good machine w/ the latest NAV definitions (5/4) & come up with nothing. An ACNS help desk tech. was confident that the Sasser worm was causing this sort of problem on other PCs around campus, but I've only seen others here describe random reboots so far. Any thoughts or advice would be appreciated, Tim ********************** Tim Potter <>< Information Officer MSU Alumni Association E. Lansing, MI 48824 Toll-free: 877/ MSU-ALUM (678-2586) Ph: 517/432-1160 Fax: 517/432-7769 Stay Connected! www.msualum.com