Author Topic: Sasser virus  (Read 4723 times)

0 Members and 1 Guest are viewing this topic.

jesse

  • Guest
Sasser virus
« on: May 17, 2004, 11:53:51 PM »
What operating system are you using? (e.g. Windows 2000 Server...)  Windows XP
What version of avast! are you using? (e.g. 4.0.160 - you can find this information in "About avast!..." dialog)  AVAST 4 Home
What version of VPS file are you using? (e.g. 0303-10, 04/15/2003 - you can find this information in "About avast!..." dialog) 0420-4 05/14/04  
How do you connect to Internet? (e.g. dial-up, using proxy server, using firewall...) Dial-up
Do you use some other security software? Which one? (e.g. Norton Antivirus...) Norton
Hello,
 
I am helping a friend with her new HP laptop.  She had Norton anti-virus on there, but the subscription expired and she had gotten infected by the Sasser virus.  I was able to remove the virus and installed AVAST! 4 Home.  I then disabled auto-protect, script blocking, and e-mail scanning in Norton.  I don't want to completely uninstall it (if I don't have to) as Norton came already installed on the computer and she doesn't have the CD to reinstall if she decides to later.
 
When I reboot, I get a message that AVAST found Norton and, since both systems can't be running, a few features were disabled.  I then checked the AVAST program to re-enable whatever was disabled, but couldn't find anything disabled.  I did a through scan, found the system to be clean, and returned the laptop to my friend.  While I was showing her the changes I made, we logged onto the internet for about 1 minute.  Then we uninstalled AOL (she doesn't want it on there and wanted to know how to uninstall a program), and then rebooted.  She started having problems with her computer again, like she had when she gave it to me.  I did some testing and found the Sasser virus again - this time in other files.  
 
My questions are these - if it was new (from the 1 minute we were on the internet), why didn't AVAST block it?  If it was already on the computer in other files, why didn't the thorough scan find it?  Is there something else I can disable in Norton to keep Avast from disabling the features it is (if it actually is disabling them)?  If you need details about what it is disabling, I will get those to you tonight.
 
So far, I am impressed with your program and hope I can resolve this one problem.

neal62

  • Guest
Re:Sasser virus
« Reply #1 on: May 18, 2004, 12:53:37 AM »
This Sasser worm WILL continue to reappear on your friends pc. If its WinsXp I suggest you disable the "System Restore" feature, then try and remove the Sasser. There are about 5 different variants of this worm. You might want to use the "Avast Virus Cleaner" to do this for you. If the System Restore is on (on by default), this will allow any infection to get into the System Restore Files. When you turn off the System Restore feature, reboot the pc, get rid of the Sasser, and then eventually turn the Restore feature back on, that will allow the infected files in the Restore system to be manually purged clear of the Restore set of files.  The Sasser worm looks for a WinsXp or Win2000 pc that is not "port" protected. It seeks out the unprotected pc's I.P. address, and then enters through the unprotected port. Keeping the pc updated by using Wins Critical Updates will effectively block these ports so they cannot be compromised. This and using a good firewall are the main means of protection from this type of infection. Most Anti Virus protection programs at times will not offer complete protection of the vast number of ports that can be unprotected.
« Last Edit: May 18, 2004, 12:58:52 AM by neal62 »

jesse

  • Guest
Re:Sasser virus
« Reply #2 on: May 18, 2004, 05:44:14 AM »
Hi Neal62.  Thanks for the reply.

I did turn the System Restore off before going in and removing the virus.  Then I rebooted and searched for the virus again and things looked okay.  I then did a complete through scan and all was clean.  The System Restore was then turned back on.  I then took it back to my friend's house and we connected via dialup.  All still looked great until we rebooted again and tried to connect to the internet.  That is when we knew we were in trouble - it wouldn't connect.

So you don't think it was a new infection.....maybe just one waiting in dormant and that is why AVAST didn't catch it?

Also, as I mentioned, I have Norton on her PC but disabled in every way I can find (it came on the PC and I don't want to completely uninstall it if I don't have to).  When I boot up, it says "Avast! Incompatible AV Software Running.  Avast! detected theat the folling program is running: Norton Antivirus/Symantec Antivirus.  The on-access scanner module of this program and the on-access scanner of Avast! cannot be active at the same time.  As a result, the avast! main on access scanners - Standard Shield, P2P Shield and Instant messaging Shield - were disabled."

I looked through the AVAST program and everything looks like it is enabled.  Does anyone know what this means?  

Offline MikeBCda

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2247
Re:Sasser virus
« Reply #3 on: May 18, 2004, 06:46:45 AM »
Hi Jesse,

If you do a search here (or maybe someone will come along with a handy link for you), you find that you'll have to clean NAV totally out of the system to get avast to work properly, and that's a fairly major project.  But you'll find it's well worth the effort -- there's one heck of a lot of happy avast users who'll tell you that quite often avast has caught things for them that had previously slipped right by Norton's.

In general, of course, you can never have any two resident-protection programs active at the same time.  But NAV in particular has a well-deserved disrepute for being extremely ill-behaved in many ways -- and if you can get a better one, like avast, for free, so much the better.

Feel free, of course, to throw any additional questions / comments / suggestions / whatever at us any time.

Best,
Mike
Intel Atom D2700, 2 gig RAM, Win 7 x64 SP1 & IE-11, Firefox 51.0
(default). 320 gig HD, 15Mb DSL, Win firewall, Avast 12.3.2280 free, SpywareBlaster, MBAM Prem., Crypto-Prevent

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11863
    • AVAST Software
Re:Sasser virus
« Reply #4 on: May 18, 2004, 09:28:36 AM »
So you don't think it was a new infection.....maybe just one waiting in dormant and that is why AVAST didn't catch it?

No, the reason is that this worm doesn't use the usual means for spreading (e-mails, files) - it spreads thanks to an error in a network protocol, and an ordinary antivirus cannot prevent the infection. To avoid repeated infection, you have to install the necessary Microsoft updates; without it, the worm will infect the computer again and again. A properly configured firewall may be able to avoid the infection as well, but the patches should be applied nevertheless.

CharleyO

  • Guest
Re:Sasser virus
« Reply #5 on: May 18, 2004, 09:35:15 AM »


Update! Update! Update! Everyone using Windows OS should visit the Windows Update site at least once a month!  



jesse

  • Guest
Re:Sasser virus
« Reply #6 on: May 19, 2004, 04:27:25 PM »
Thanks everyone.  I updated with the new virus definitions and then it found the Bobax virus.  Why didn't the firewall I turned on two days ago and the Avast block this?  Might have it already been on the computer and was just caught because of the updated definitions?  You guys are so helpful!  Thank you.