Virus.Sasser a

[Stephan123]

have Alwil this virus already.And are we protected against this virus

[pk]

After latest virus database update in the morning (418-6), avast is able to detect this virus. It uses a lsass vulnerability - technical details + windows patch.

[Pavel Baudis]

Actually - there is a new Sasser variant - Sasser-B tonight. The update is already out, so feel free to update   .

However the best protection against this kind of viruses/trojans is to install all the Windows critical patches - see the link above or use "Windows Update" feature!

Pavel

[Sgt.Schumann]

Thank you for the info about Sasser.B !!

What is the difference between the two variants?

[fred1479]

Hello !

My computer is infected by the win32: sasser-B ....
It infects many files...And I get bored !!! :'(

Avast! detects it but it says the worm is somewhere
" C:\WINDOWS\avserve2.exe"

but no action is available. The file is unfundable . I can't delete it, rename, repare or put it in "quarantaine".  sorry for my english, I'm french.

If you have solutions...
bye

[Pavel Baudis]

Try to terminate the virus process first:

Press Ctrl+Alt+Delete once.

• Click Task Manager.
• Click the Processes tab.
• Double-click the Image Name column header to alphabetically sort the processes.
• Scroll through the list and look for the following processes:

avserve.exe
any process with a name consisting of 4 or 5 digits followed by _up.exe (eg 73461_up.exe).

• If you find any such process, click it, and then click End Process.
• Exit the Task Manager.

Then, you will be able to delete the files detected by avast! as infected.

Hope this helps

Pavel

[Lars-Erik]

Try to terminate the virus process first:

Why can't you make avast! terminate processes bound to infected executables so that avast! can delete them automaticly (a "kill process and delete file" button) ?

It's a bit like the locked files that can't be delted where I earlier suggested a "unlock and delete file" button ?

[Pavel Baudis]

Why can't you make avast! terminate processes bound to infected executables so that avast! can delete them automaticly (a "kill process and delete file" button) ?

This is of course done by avast! Cleaner (both standalone and embedded in the VPS file versions). But in the moment of my answer the cleaner was not able to handle Sassers - it has been released later.

Hope this helps
Pavel

[Lars-Erik]

This is of course done by avast! Cleaner (both standalone

Why not include this in the on-access scanner ?
It's kind annoying when you press "Clean" or "Delete" and
only get a "Unable to access file" or something.

If it's possible in the cleaner, why not in the on-access scanner ?

[Pavel Baudis]

If it's possible in the cleaner, why not in the on-access scanner ?

Cleaner knows exactly what it is trying to stop - and believe me, sometimes it is really very difficult to do this. Some viruses have different mechanisms how to stay active in memory, how to reload themselves and how to fight back. I think doing such things in general could be very dangerous - the boot scan is much better and safer for this purpose!

[igor]

Yes, just as Pavel says - it's not so simple. In general, you cannot just "terminate processes bound to infected executables". The virus may be running on other processes' memory area (either it infected their executable file, or it hooked their process during the runtime) - so with "generic" methods you could easily kill important system processes (and crash the system, of course).
Or, the virus may be loaded as a shared DLL into all the running processes...  so there actually is "no" virus process to terminate.

[Lars-Erik]

But at least you could do what the "Cleaner" does ?
I only suggest including the same solutions as there