LSASS VIRUS

[Crazy Penis]

Nah you've clearly made him ruin his computer, you might as well kill yourself now.

I can't kill myself I've not long bought some new shoes. Thanks for the suggestion anyway.

Heh, I did a reformat in three hours yesterday.

I need to do it again though, because I forgot to burn off the patches for the virus, and got hit within one minute of starting up.  I am a fool.

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html[/url]"]Attempts to connect to randomly-generated IP addresses on TCP port 445.

So after a reinstall if you block port 445 with your firewall before connecting to the net you shouldn't get hit by it again, right?

I read somewhere about how you can stop your PC from using that port. I'll try and find it again and post it if I do.

[blue jammer]

If you install a firewall before you connect to the net, you can block off that port that way, oh and if you're behind a router it doesn't affect you, as I've done loads of fresh installs of XP for people, then gone on my network to get all the updates and it's never had an attack.

[untitled_london]

I'm confused.
When untitled_london posted the link to symantec there wasn't a link for the removal tool on that day. The page showed only how to remove it with NAV or manually.
...
Someone tell me I'm right, or better still make me stand corrected like a man with an orthopedic shoe.

This tool.
http://securityresponse.symantec.com/avcenter/FxSasser.exe

hay...... i never posted a link. someone else posted a link, that looked like a link to a symatec  removal tool (which ime have an excelent record). all  i've done so far is say:

USE SYMANTAC CORPORATE 9 & OUTPOST FIREWALL 2.0

they actually work, are really eay to use, and are generally a zillion times better than anthing suggested in this thread so far (zillion = technical term btw)

[Rev]

Or don't use XP, of course.  The great thing about rockin' it old-skool with '98 is that, not only can you run software that's more than two years old, you're also pretty much immune to viruses, as these l337 c0ck5^><0rz don't bother with it anymore.

[Crazy Penis]

I'm confused.
When untitled_london posted the link to symantec there wasn't a link for the removal tool on that day. The page showed only how to remove it with NAV or manually.
...
Someone tell me I'm right, or better still make me stand corrected like a man with an orthopedic shoe.

This tool.
http://securityresponse.symantec.com/avcenter/FxSasser.exe

hay...... i never posted a link. someone else posted a link, that looked like a link to a symatec  removal tool (which ime have an excelent record). all  i've done so far is say:

USE SYMANTAC CORPORATE 9 & OUTPOST FIREWALL 2.0

they actually work, are really eay to use, and are generally a zillion times better than anthing suggested in this thread so far (zillion = technical term btw)

sorry. It was @ssmaster. Sorry. Sorry.

[Marcus Or Relius]

Fucking shit, my other machine has got this cunting virus now, despite having a firewall and all that bollocks.

By the hairy, spunk-farting bum of the God Almighty, I swear that if I ever get my hands on any virus writer, I shall ram a twig from a thorn bush right down their japs-eye and twirl it round, first clock-wise, then anti-clockwise, the laceration's to the inside of the miscreant's urethral canal being but a prelude to further punishments.

I downloaded the Symantec programme for this virus. This had better work, or else I'm going to bellow some more rude words, maybe even the 'F' one. I'm not bluffing!

[untitled_london]

sorry. It was @ssmaster. Sorry. Sorry.

oh dear, i fear i'm getting a repuation for ranting & shouting

:blush smiley:

marcus, the removal tools that symantec have are of pretty good quality.

my advice is boot into safe mode (network options off), and run it from there (it'll be a lot faster) repeat as necessary for each machine. you could leave the network options on, to save the 30 secs it'll take to load the removal tool from one machine to the other, but, i'd say err on the side of caution, and dont risk the bugger jumping back and forth acrros your network (been there done that)

i've only ever used a couple of their tools, but they have always done a stand up job. a good few friends have had similar experiences.

[Marcus Or Relius]

Thanks for the various tips untitled_london. The Symantec programme claimed I didn't have the virus after it'd finished, although everything seemed to be working once it had finished it's sweep (whereas before I ran it nothing would open; system-restore, AV progs, etc). Maybe it meant I didn't have the virus cos it'd removed it without specifically informing me of such an event. Hmmm.

I've disconnected that machine from the network and have just been getting any tools I need via the other PC, putting them on a floppy and transferring them that way. Slow but safe.

I've updated my Anti-Virus software (Sophos) and it's now scanning the unclean machine. Running an 'All files' scan on a nearly-full 120GB disc is gonna take a fucking age though.

Just as an aside, I used to have a free little programme called Active Ports that allows you to monitor and block network traffic on specific ports. I haven't used it in ages but I think I'll install it again when everything is all fixed, it might come in handy for such things. It's at http://www.ntutility.com/freeware.html

[Pinball]

I do regular Windows Update & have ZoneAlarm firewall & never had a problem.

[Marcus Or Relius]

I use Zone Alarm too, normally it chases away any TCP/IP mischief with a big stick, this is the only time I've had any virus type hassles.

Anyway, it seems fixed now. I'll see if I can be arsed to do a Windows Update, normally it take so fucking long because there's so many bugs to patch up.

[weekender]

I'll see if I can be arsed to do a Windows Update, normally it take so fucking long because there's so many bugs to patch up.

Heh, 46 'critical' updates for me following a complete reinstall of XP.  Nice.

[TraceyQ]

Fucking Cunting Arsing Wanking cunts.
I'm riddled with a worm that I cant get rid of. I cant locate the file and I've found out it will eventually stop me using Norton and my firewall.

I did the blocking thing and deleting for the spyware but every time I start up the file just changes itself. The Cleaner pick up the change, but again I cant locate the changed file. It'scalled regen or something, I've done a reboot and am re-scanning... according to symantec it's been about since last December but my scanner has only picked it up after it updated today.

I'm in two minds just to wipe the drive and start again.

[Marcus Or Relius]

I got it again yesterday, whilst trying to download the patch, and a fresh re-install was the first thing that occured to me. I got rid of it eventually without the re-installation plan, but any more shit like this and I'm going to renounce technology, burn everything I own that has a plug and then I'll go and live in a hut made of empty baked bean cans, like Stig Of The Dump.

[TraceyQ]

I rebooted and did another scan and there's nothing there anymore. The rogue file appears to be wurmgrd.exe. I thought I had deleted it yesterday.

Edit: Marcus, can I come and live in your hut?

[untitled_london]

i feel for you two i really do, it seems as though this is a pesky bugger to get rid of.

i haven't done the requisite update yet.... but then again, i'm hoping to do a re-install in the next couple of weeks anyways...

[Sherringford Hovis]

Yeah most Viruses are written by Linux-lovers...

Way to perpetuate the myth - but...
Windows users flatter themselves that we Tuxters actually give enough of a shit about your retarded choice of OS to even waste our time bothering to annoy you. If you must run XP, then just don't use Internet Exploder or LookOut, that'll slash your vulnerabilities at a stroke, and by using something like Mozilla, your surfing and email experience will be more-or-less insistinguishable from using the MS apps. Won't stop a determined port scan though, so sensible precautions against crackers still need to be taken.

well, Windows-haters, I suppose. The message is usually meant to be "Why pay for Windows when this sort of thing happens? Linux is free and it's immune...".

No it isn't - the message most virus writers want to put across is completely egotistical. Over 90% of UK Linux users that were surveyed agree that there is room in the market for BOTH proprietary and Open Source operating systems (Linux Format magazine, April 2003) - after all, since companies that offer commercial Linux releases mostly make their money from offering support packages rather than selling software, one could argue that the Linux business model actually has MORE to gain from flogging dodgy programs that don't work properly and being prone to malware than Microsoft does.

I like Linux but the people who write viruses are just bored, I33+ twats.

*nix rules, which is why I run OS X and Linux. People that write viruses are the same people who make a lot of money writing programs to protect you from them - think about it...

[mook]

This might cheers up a few of you who got hammered by the virus..

An 18-year-old high school student has been arrested in Germany on suspicion of creating the Sasser internet worm, police say.

Little fucker.

http://news.bbc.co.uk/1/hi/world/europe/3695857.stm

[Marcus Or Relius]

Hang him! Hang him! Hang the cunt!

[untitled_london]

Ars News Linky

Posted 05/08/2004 @ 7:35 PM, by  Fred "zAmboni" Locklear

Four variants of the Sasser worm recently spread around the world causing problems in Hong Kong hospitals and Taiwan post offices, in addition to delaying British Airways flights. The worm has slowed its spread and now law enforcement authorities helped stop the spread of future Sasser variants by arresting the worm's suspected author in Germany.

   "As a result of the student's detailed testimony about the viruses he spread, he has been identified clearly as the author," the state criminal office in Hanover said in a statement. Spokesman Detlef Ehrike said he is being investigated on suspicion of computer sabotage, which carries a maximum sentence of five years in prison.

This arrest is a major accomplishment on several fronts. The suspect is believed to be the author of several, if not all, of the Netsky variants. Also, the arrest is proof that reward money can lead investigators to the right person. Information that led to the arrest came from individuals who wanted to cash in on Microsoft's Antivirus Reward Program.

   Microsoft investigators told the informants, who had asked whether they would be eligible for a reward, that they would consider paying $250,000 if the information led to the arrest and conviction of those responsible. [Microsoft lawyer Brad] Smith said the arrest was a sign that such rewards work.

   "We believe this is an important step forward in the industry's ability to fight malicious code on the Internet," he said.

Wait! There's more! Armed with information from U.S. authorities, German police arrested a 21-year old who later admitted to creating the Phatbot worm. They are also investigating five others who may have helped in the programming of Phatbot. Officials said the two arrests were not connected, but they stopped short of saying the two were not associated with a larger programming group. It is believed that both Sasser and Netsky were written by one or more groups that may include the so-called "Skynet anti-virus group" and investigators are looking to see if the arrested individuals are affiliated with the group. With Microsoft reward money available to loosen lips, the investigators' job may have gotten a bit easier.

normally i'd add in all the linky's in the article...but...blah

bugger mook beat me to it...by a long chalk too :blush:

[Hairy Chin]

Heehee 'Ars News'

[untitled_london]

:blush: again

yeah, their normally 'quite' good on the techy stuff, but, i guess this had more agencies covering it than they are able tocompete with.

bloody hell tho, its bad for them if even the BBC beat them to the punch on a tech story.