Author Topic: Sasser worm  (Read 2859 times)

Offline girasole

  • Newbie
  • *
  • Posts: 4
  • I'm a llama!
    • Personal Message (Offline)
Sasser worm
« on: May 01, 2007, 04:29:33 PM »
I have a question. my friend's computer was infected by sasser worm but avast didn't detect it, she only managed to get rid of it by running nod32. how is that possible, not only that worm is not a new maleware but it already is in virus definitions?

Thank you
G

Offline RejZoR

  • Polymorphic Sheep
  • Starting Graphoman
  • *****
  • Posts: 7812
  • Gender: Male
  • We are supersheep, resistance is futile!
    • RejZoR's little secrets
    • Personal Message (Offline)
Re: Sasser worm
« Reply #1 on: May 01, 2007, 05:01:14 PM »
I hardly belive that. Sasser worm is in definitions for ages. Even Network Shield can block it.
Is avast! actually the latest version and with fully updated virus definitions?

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69236
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Sasser worm
« Reply #2 on: May 01, 2007, 05:27:49 PM »
If they got infected by sasser their operating system is also way out of date as the sasser vulnerability should have patch ages ago. As RejZoR said the Network Shield should have been able to detect this exploit attempt, assuming that their operating system supports it and the network shield is in enabled.

What is their operating system ?

Quote
Sasser.Worm is a worm that attempts to exploit the vulnerability described in Microsoft Security Bulletin MS04-011
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2478
    • Personal Message (Offline)
Re: Sasser worm
« Reply #3 on: May 01, 2007, 06:37:27 PM »
Did NOD actually identify it as sasser, or did it say lsass.exe was infected by something? 

There is malware that drops a file named lsass.exe, malware that can infect lsass.exe, and malware that can replace lsass.exe with an infected version without actually being the lsass exploit.
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline girasole

  • Newbie
  • *
  • Posts: 4
  • I'm a llama!
    • Personal Message (Offline)
Re: Sasser worm
« Reply #4 on: May 01, 2007, 08:37:41 PM »
Yes, it was up to date I installed it for her about 4 months ago… I’ve used Avast for years and I remember it blocking sasser… so it came as a shock that it didn’t even notify.

I’m not sure about the state her operating system, she was using windows xp, but nevertheless even if it got through some hole in operating system shouldn’t avast still give some sort warning?

And yes it was identified as a sasser warm.

Offline calcu007

  • avast! Evangelist
  • Poster
  • ***
  • Posts: 476
  • Gender: Male
  • I'm lamma!
    • Personal Message (Offline)
Re: Sasser worm
« Reply #5 on: May 01, 2007, 10:22:38 PM »
Maybe it was infected before you install Avast. Update the computer of your friend, so she don't get infected again. A unpatched systems is dangerous.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

Offline mauserme

  • Massive Poster
  • ****
  • Posts: 2478
    • Personal Message (Offline)
Re: Sasser worm
« Reply #6 on: May 01, 2007, 11:16:27 PM »
Maybe it was infected before you install Avast.
Makes sense - hiding in an old archive or restore point possibly.

Do you know the path?
"If at first you don't succeed keep on sucking 'till you do succeed" - Curley Howard in Movie Maniacs (1935)

Offline girasole

  • Newbie
  • *
  • Posts: 4
  • I'm a llama!
    • Personal Message (Offline)
Re: Sasser worm
« Reply #7 on: May 01, 2007, 11:58:11 PM »
I apologize but I really don't know if her windows were updated.

But wait a sec, guys... my field of expertise is not IT, however I still find this odd. If we take the possibility of worm hiding in a restore point shouldn't it be discovered after first installation and reboot?

Offline calcu007

  • avast! Evangelist
  • Poster
  • ***
  • Posts: 476
  • Gender: Male
  • I'm lamma!
    • Personal Message (Offline)
Re: Sasser worm
« Reply #8 on: May 02, 2007, 12:16:25 AM »
Not necessarily. It will not be detected until windows access or open the infected file or until you made a manual scan in the computer.
Asus Intel i7 8GB RAM , Win 8.1 64 bit, Avast IS

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69236
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Sasser worm
« Reply #9 on: May 02, 2007, 12:21:54 AM »
@ girasole

There is little point in speculating ask your friend.
- What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Have her check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

Also what type of scan was it she was doing when the detection was made ?

The first boot-time scan doesn't as far as I'm aware go as deep as an on-demand thorough scan with archives enabled. avast has also introduced new packer (archive unpackers) support so if there was an infected file in a previously unsupported archive (e.g. avast couldn't unpack it), now that it is supported it could find malware in a previously unsupported packer.

So hopefully you can see there may be many possible reasons why it wasn't previously detected, but again that is speculation and doesn't solve anything, we need hard information such as answers to the questions I asked about above.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline girasole

  • Newbie
  • *
  • Posts: 4
  • I'm a llama!
    • Personal Message (Offline)
Re: Sasser worm
« Reply #10 on: May 02, 2007, 04:26:47 PM »
@ DavidR

I went to her place today to get the info you asked for, but her HDD gave it’s last breath few days ago and the computer is on repair… what, unfortunately, brings this whole discussion to a definite stop. Now I feel bad for even starting this.

And I said that it was not avast that took care of it, it was nod32. avast didn’t even hiccup. There is a big possibility of her win not being up to date and the worm being present in the restore points, but I was the one who did the manual scan, and I always do the through scan. Is there a possibility of a glitch in Slovenian version of avast?
 
Thank you for your help.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69236
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Sasser worm
« Reply #11 on: May 02, 2007, 04:46:00 PM »
There is no reason to feel bad about starting this, if nothing else it gives you an idea of the things needed to help.

Sorry I forgot that it hadn't been detected by avast. If the nod32 scan was run from your system rather than on-line I would think it would have a similar logging function.

I don't think the issue is language orientated as the signatures and scanning engine aren't language dependant and for some reason (unknown) it wasn't detected.

Sorry we weren't able to be of more help, welcome to the forums.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now