LISTSERV 16.0 - MSUNAG Archives

Perhaps you could try the sasser removal tool that Microsoft provides.
It says it works for A and B, but it'd be worth trying on C too...
 
direct download:
http://www.microsoft.com/downloads/details.aspx?FamilyID=76c6de7e-1b6b-4
fc3-90d4-9fa42d14cc17&DisplayLang=en
 
-or-
 
Web install:  http://www.microsoft.com/security/incident/sasser.asp
 
Computer Associates has a quick web page up detailing Sasser.D.
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39037
 
I haven't noticed problems on my systems yet, but that's probably
because the worm travels over port 445 which I am blocking at the subnet
border with IPSec.
 
Jeff Bowes
 
 
 

________________________________

From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Gene Willacker
Sent: Monday, May 03, 2004 11:21 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Possible Sasser worm variants?


We are also seeing this, and the Symantec tool is not detecting on our
PCs either. The error message we see says, in part, "LSASS.exe
termintaed with code 128."

Gene

On 5/3/2004 11:09 AM, Cameron Ramo Williams wrote:


        Hello fellow NAGers 
	
        I was wondering if anyone here has found evidence of new Sasser
worm 
        variants on campus PCs? We have a couple PCs that exhibit the
random 
        reboots that make me suspect they have been infected with the
Sasser worm, 
        but the removal tools I downloaded from Symantec have been run
repeatedly on 
        these PCs in safe mode and have not found any evidence of
Sasser. According 
        to Symantec, the removal tools cover the initial Sasser worm and
variants B 
        and C. I just wondered if anyone else has found evidence of
Sasser but have 
        been unable to get a removal tool to detect it's presence? I
surmise it is 
        some new variant that the removal tool is not able to locate and
remove. 
        Any others with this experience today? 
	
        Thanks! 
	
        Cameron Williams 
        --- 
        _______________________________________ 
        Cameron R. Williams 
        Information Technologist 
        Center for Global Change and Earth Observations 
        Michigan State University 
        101 Manly Miles 
        East Lansing, MI 48825 
        (517) 432-4675 
        [log in to unmask] 
	


-- 
Gene Willacker
Systems Analyst
H&FS Systems Operations Group
Michigan State University
Food Stores Building
East Lansing, MI 48824
1-517-353-1691