GAOBOT and Sasser
Straight_Man
Geeky, in my own wayNaples, FL Icrontian
I have found some interesting info about Sasser. One of its variants uses Gaobot, and Kaspersky has a killer that will remove Sasser if that is what your GAOBOT problem actually is and remove all variants of Sasser up through Sasser.d, kill the bot, and fix your registry as to the entries Sasser might have made. Let me in fact give you the email text regarding Sasser:
One of the things it deletes is the bot files as well as their registry entries. Unlike the Microsoft killer, the Microsoft update does not have to be on the box first for this to work, and if it finds a Sasser it will nag you once per run to get the patch. Frankly, this patch is so important, that I think the NAG is justiifed. I wondered how the heck we had so many dang Omegasearch things with Gaobot appearing suddenly, might well be NOT Omegasearch for some folks. Just to tell you how long I have been busy researching some of this junk stuff, this got here YESTERDAY and I just read it an hour and a half ago.
Download file name will be clrav.zip, and it is a tiny thing you can run from a floppy if needed after you extract the zip. If you run XP, you do not even have to bother with winZip, just click on the file, run the file in the new window that pops up, and it will do its thing. I recommend reading the readme in teh same directory, notepad should open and show it to you if you double-click on it. Yes, you are talking to Kaspersky Lab's FTP download server for this.
From Kaspersky Labs' Virus News email newsletter
Clean your computer now
Kaspersky Labs, a leading information security software developer, now
has a free utility to remove the network worm Sasser.
(http://www.viruslist.com/eng/alert.html?id=1437429) The utility can be
downloaded from ftp://ftp.kaspersky.com/utils/clrav/.
(ftp://ftp.kaspersky.com/utils/clrav/)
This program will detect active copies of the worm in computer memory,
deactivate the copies, delete infected files from hard and network
disks, and restore the Windows system registry by deleting the link
which Sasser creates to itself. In addition to fully restoring the
functionality of the infected machine, each time the program detects a
copy of the virus, before deleting the file, it will display a reminder
to download a patch for Windows to close the vulnerability used by
Sasser. The patch can be downloaded free
(http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx) from
the Microsoft site.
One of the things it deletes is the bot files as well as their registry entries. Unlike the Microsoft killer, the Microsoft update does not have to be on the box first for this to work, and if it finds a Sasser it will nag you once per run to get the patch. Frankly, this patch is so important, that I think the NAG is justiifed. I wondered how the heck we had so many dang Omegasearch things with Gaobot appearing suddenly, might well be NOT Omegasearch for some folks. Just to tell you how long I have been busy researching some of this junk stuff, this got here YESTERDAY and I just read it an hour and a half ago.
Download file name will be clrav.zip, and it is a tiny thing you can run from a floppy if needed after you extract the zip. If you run XP, you do not even have to bother with winZip, just click on the file, run the file in the new window that pops up, and it will do its thing. I recommend reading the readme in teh same directory, notepad should open and show it to you if you double-click on it. Yes, you are talking to Kaspersky Lab's FTP download server for this.
0