Microsoft's Sasser Knowledge Page

Straight_ManStraight_Man Geeky, in my own wayNaples, FL Icrontian
edited May 2004 in Spyware & Virus Removal
http://www.microsoft.com/security/incident/sasser.asp

Has lots of info on Sasser, and how to fix. A computer that is online and running 2000 and XP can normally run the autofix tool from this page, for Sasser. If the text in the button is grayed out, or invisible, click the download link in parageraph below it, and please run this tool.

The title is apt, it talks about computers mysteriously shutting down. Most infections are on HOME USER's computers, and a good firewall DOES help protect your box from some of the virus effects.

Sasser.D, one variant, was first said to be network attack. It is, but what it basically does is this:

Sasser.D alternately sends ICMP Echo requests and listens, in a continuous cycle. without a firewall blocking ICMP Echo, your box will be loaded by this virus, and the Internet junk traffic of echo traffic blocking and interfering with Internet USE by sheer volume (an estimated minimum of 500,000 boxes were doing this two days ago and were infected). When it hears responses, it tries to transmit itself to responding boxes.

Summary of Fix:

Use a good firewall, hardware or software. Sygate can block ICMP echos in and out, and if your computer does not respond to ICMP Echo requests it will not get the virus as the virus spread is triggered by response to an ICMP Echo request. My hardware firewall blocks same, and in fact my AV has not detected Sasser on my XP box or my Mom's 98 SE install, not even infection attempts. Note here, Sasser is an NT attacking virus, ALL 2000 (SP1 through and including SP4) and XP boxes are vulnerable unless MS04-011 patch (patch number 835732) has been installed. If you scan and your box is not infected, go to Microsoft WindowsUpdate or get the pathc directly using ldownload links in the document and install the patch locally. Microsoft says to load a firewall first if you do not have one in hardware firewalling, and if hardware, check for and block ICMP Echoing response PLEASE.

One thing, if you do not think or are not sure that you have this patch, you can get and run teh installer again from the direct download link at the page I linked to in this post, it will tell you if your box IS patched and not reload itself if the patch is there.

If you want details beyond what the page I have linked to offers, Microsoft has a an off-site-link set of links to 8 AV mfr's Sasser info pages down below their explanation. I am going to let Microsft pay the bandwidth bill on this one, and not replicate those here.

Please, for your own browsing speed and to not have apparantly random and mysterious computer shutdowns whether or not you are browsing, do these things outlined here and on the Microsoft Sasser page. NOTE, I got word of Sasser on April 14, and the first def that same day, for the first version. I know of 4 versions now, what I was told about as Sasser has been called Sasser and Sasser.A-- but Sasser now has A through D variants. This applies to 2000 and XP boxes. 98 does not use the affected LSASS control measures, nor does Me, but a firewall blocking ICMP Echos will help those boxes also, as they by default respond to this kind of request also, so simply to deload the box, ALL Windows boxes should be behind a hardware firewall or have software firewalls on each of them. Sygate and Tiny Firewall are the smallest and least loading firewalls I know of right now, and Sygate is better if your computer can run it and still do the other things you do with your computer. In this case, plain interfaces without fanciness lead to less system load. I have run Tiny and Sygate on 98 and up through XP-- and use one firewall per box at any one time.

Comments

  • JimboraeJimborae Newbury, Berks, UK New
    edited May 2004
    John,

    I have tried patching both my boxes with patch 835732 after scanning them for the virus but each time after rebooting it says on the windows update page that I need to install the update again.

    Neither boxes ever had the virus or showed signs of having it as far as I'm aware and both sit behind a firewall on my router. In the end I gave up and stopped checking but every now and then I get the reminder that there are new updates ready to install and it always patch 835732.

    any ideas as to why the patch mysteriously disappears?
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited May 2004
    Jimborae wrote:
    John,

    I have tried patching both my boxes with patch 835732 after scanning them for the virus but each time after rebooting it says on the windows update page that I need to install the update again.

    Neither boxes ever had the virus or showed signs of having it as far as I'm aware and both sit behind a firewall on my router. In the end I gave up and stopped checking but every now and then I get the reminder that there are new updates ready to install and it always patch 835732.

    any ideas as to why the patch mysteriously disappears?

    IF this is a 2000 or XP box, very possibly either another virus or you did not reboot\restart Windows right after patching. The patch registry entries will not show up until after a restart, and the update software looks at commited registry entries local to your computer to see if the patch has been applied. It does not send the registry to Microsoft.

    IF IT vanishes after a patch and immediate restart of XP or 2000, make sure you applied it as a user who has administrative privileges, IE as your administrator account on the computer. IF you have DOEN ALL this in one application session, make dang sure the WindowsUpdate site has cycled to the successful patch page IN Internet Explorer saying the update has occured before restarting ALSO.

    If it still vanishes, get a copy of the latest Stinger and the latest trial F-Prot, install and run both with the computer offline beofre running, and scan for viruses with BOTH. 90% bet you have a virus soemnwher on computer, and I would also do what follows as part of this process:

    TURN off system restore with the microsoft services console and have F-Prot Scan all files including archives.
    Then look at F-Prot's scanning log. See if any backup\restore files have virused files in them and delete same.

    THEN reboot and reapply the patch, but this time get it from your HD. before you do all this, by NOT going to Microsoft's update page, but rather getting the patch directly from the direct download link BEFORE you even do the virus scan. F-PROT will scan the patch for viruses as it does an archive and all files scan, and Sasser does NOT infect the patch archive. so, pathc should be still clean even if you download it with a Sasser infection present.

    Anything that does not scan archives and ALL files, IF you run it as as a non-admin user and there is a killed virus present in the restore point, does not rule out a system restore point being present with a virus in the backup\restore archive that XP can use and reinfect your computer in so doing. It only checks for active viruses in files the user running it can access. there are viruses that can stick registry entries in XP's registry that can casue a restoration of virus from a restoration archive made by XP that can happen with zero warning to user and with no notify that this has heppned to user, except that machine gets reinfected. I have killed Blasters in restore points by using F-Prot in full scan mode, fully agressive, and runnig them as admin, and deleting the restore point files. Other viruses that show as services OR use services, if the compupter has had a restore point made after infection but before DETECTION, can have infected restore points, AND if registry is not cleaned up before a restart and after file deletion without a restart, the box can get self-reinfected by autorestore because the current registry says this is needed by system and Windows looks at restore points to autorecover.

    What I do handle this situation is this:

    Full scan of all files and archives, as admin, every time I run an AV on XP, which is daily. I check the log, this is scheduled. Actually, F-Prot will tell me and leave a dialog up until I close it if it finds a virus in an archive. IT does not devirus archives deliberately, instead it detects only, to avoid infection as file is unarchived. BUT, between a log exam and this program, you will know if anything on box has a virus among 114,700+ possible viruses or if anything F-Prot ahs suspcions about from its heuristics, this way.

    The reason fro stinger also, is that F-Prot in trial version does not have all viruses in it, and Stinger knows the most common ones. If Avast AN F-Prot AND Stinger find nothing doing this, I would say we have unpublicized need for something else to be in place before MS04-011 IF and only if the patrch will not apply and vanishes after all that.

    Note the Microsft fixer will nto run if MS04-011 is nto in place first, but once you get ti there and staying there you can verify run the Microsoft Sasser fixer to verify the Sasser is missing en toto and should.

    Once you gat patch on and box cleaned, make exactly one restore point with System Restore on and Avast running in active scanning mode, and then choose to enable or disable the automatic restoring of things. Make a restore floppy, back up everything, and if you have two HDs, tell it to back up to another HD thatn the XP booting one INSIDE the recovery routine-- then the floppy will know where the file actually is, and not think it is somewhere else..

    90% chance you have another virus active OR one of the other things I pointed out is true.

    By making Root registry entries, and\or registering things as required by AND\OR AS system services, virus writers have partly penetrated XP's Autorecovery process. I have had this happen to my XP box with Blaster. F-Prot discovered this for me. NAV is off my box, period. F-Prot made their software scan archives by default when I asked them to over a month ago. Check and see if your F-Prot trial does this by looking at the log, and if you do not understand and cannnot figure out how to do this, I will tell you in detail. Anyone with this kind of "patch does not apply" thing can go to my personal site and leave feedback with this issue, it will get replied to if message topic PATCH VANISHES is used. That website is http://www.johndanielsonii.com/ I scan all email AND email froma Linux box-- and the site is NOT on a Widnwos-based server. I will reply using same message topic. If that gets topic gets compromised, will change it.

    Now you know why I act so paranoid about virus related things in regard to XP.

    John D.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Um, John, I installed the patch, rebooted, and it still tells me it's not installed. Um, I ran TrojanHunter, my AV prog with heuristics on, Sasser fix, and it still tells me it's not installed. Um, I don't have a virus.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited May 2004
    Mr. Kwitko wrote:
    Um, John, I installed the patch, rebooted, and it still tells me it's not installed. Um, I ran TrojanHunter, my AV prog with heuristics on, Sasser fix, and it still tells me it's not installed. Um, I don't have a virus.

    I think you have another virus, or the update process is compromized, or the box is trojaned if you think of trojans as different from viruses. Try again, same download, this time with system restore off, while logged in as admin and with box offline from web or LAN. IE: Isolate box first, turn off system restore, apply patch from download, and see what it says in add\remove programs afterwards, this is not an IE patch per se, it will not show up in IE's patch list. This is a core local system user access and prvileges integrity patch, the number will show up in Add\remove programs as that patch number, not as MS04-011 AFTER a restart, unless Microsoft has disabled uninstall for this patch AFTER I patched my XP box.
    Logging in system console should also show this happened if they are on and services that are required for them to work are on. You also need to scan all files, AND be running AV as admin, not JUST turn on heuristics.

    here is another way to check:

    The LSASS.EXE version included in that patch was created at microsoft in March of 2003. you can, as admin, do this:

    Go into Search, while logged in as administrator. Look for two files that are named LSASS.exe.

    One should be in a path with System32 at its end, and have the following properties:

    Creation Date EXACTLY like this info March 31, 2003 8:00 AM

    Modified date should be identical to the Creation Date.

    Accessed date is not relevant, should be current date and time. File should be 11,776 bytes in size for the first size spec (size on HD will vary, not relevant).

    That is the exact properies set for LSASS.exe included in the path I installed when I loaded MS04-011 from a downlaoded archive off technet. And it is in the archive still that way.

    If your LSASS.exe file compares to this, I will get the data for other files and you can hand check. Either the thing appears to have vanished, or Microsoft modded the installer and patch since I downloaded and installed MS04-011 from Technet. I have the archive I downloaded archived in three places and can get properites from all of them, did only one files for now. Let's get this mystery solved definitively.
  • BlackHawkBlackHawk Bible music connoisseur There's no place like 127.0.0.1 Icrontian
    edited May 2004
    I had the damn thing. When I ran the patch, the damn thing erased my shutdown.exe. I formatted and applied the fix before installing the lan drivers.
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited May 2004
    I had the damn thing. When I ran the patch, the damn thing erased my shutdown.exe. I formatted and applied the fix before installing the lan drivers.

    Which kept your box offline until patched, almost perfect way to do all patches, and in your case by doing a clean install you had no restore points that COULD be infected.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    No virus, no trojan. I have ZoneAlarm installed on the strictest settings, and nothing has tried to "phone home". MS04-011 is listed as being installed in Add/Remove programs after multiple reboots.

    My AV scans all files, running as an admin, with definitions updated daily, *with* heuristics on *and* alternate data streams scanned.

    The MS Sasser page shows my machine as being clean.

    I'm going to reboot one more time and I'll check the date of lsass.exe.

    After reinstalling the patch and rebooting, lsass.exe lists itself as:
    Version: 5.1.2600.1106 (xpsp1.020828-1920)
    Created: Thursday, August 23, 2001, 8:00:00 AM
    Modified: Thursday, August 29, 2002, 6:41:26 AM
  • JimboraeJimborae Newbury, Berks, UK New
    edited May 2004
    I "was" kwitko's in position i have now installed the patch and it now shows as no further patching neccessary. It looks like the patch has finally taken, however I'm sure that there were no other trojans on the boxes, as I too have run trojan hunter, had zone alarm on one of the boxes, and run the sasser removal tool on both etc.
    I wonder if microsoft updated their patch over the last few weeks?
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited May 2004
    Jimborae wrote:
    I "was" kwitko's in position i have now installed the patch and it now shows as no further patching neccessary. It looks like the patch has finally taken, however I'm sure that there were no other trojans on the boxes, as I too have run trojan hunter, had zone alarm on one of the boxes, and run the sasser removal tool on both etc.
    I wonder if microsoft updated their patch over the last few weeks?

    NO.

    Also check this file with search, boht you and Mr. Kwitko, please:

    26-Mar-2004 19:43 5.1.2600.1361 667,648 Lsasrv.dll (with sp1)


    Source link for info I gave in that line is here:

    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    Open the following after getting there.

    Click on Security Update Information, then the text that has your operating system in it. You will get file properties, go by version of file. I got an updated LSASS.exe also, same dating as I listed, and applied the patch off technet. I had it before the page I am lining to was created, and same day as Technet had it. I have same versions of file as they list, different dates for create, same for modified date as I showed and am linking to.

    Microsoft's Sasser checker says I am not Sasser virused, the Sasser checker runs, and I applied original patch set.

    Note OR LATER in dating of list, go by version, and note TWO lsasrv.dll fiels were included, this version I gave you properties for in this message matches the one on my XP SP1 box in the /Windows/System32 folder on my XP box. I have /Windows/LastGood/System32 folder entries with old ones of this file in them, and the old one prior to patch of this lsasrv.dll name have a version that ends in 1106.
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    Lsasrv.dll: 5.1.2600.1361 (xpsp2.040109-1800)
  • KwitkoKwitko Sheriff of Banning (Retired) By the thing near the stuff Icrontian
    edited May 2004
    My home PC doesn't have the problem with the patch still showing up. My work PC does, however. Strange.
Sign In or Register to comment.