Mobile menu

What to do if your computer has been infected by Sasser
Thread poster: Lesley Clayton
Lesley Clayton
France
Local time: 00:43
French to English
+ ...
May 9, 2004

For those who think they've got the Sasser virus, follow Microsoft's instructions at http://www.microsoft.com/security/incident/sasser.asp

From this page, you can scan your computer for the virus to see if you've got it, and also check your firewall and security update status (which are automatically adjusted if necessary).


Direct link Reply with quote
 

Kim Metzger  Identity Verified
Mexico
Local time: 17:43
German to English
What to do if your computer has been infected by Sasser May 9, 2004

Hi Lesley,
What are the symptoms?

Kim


Direct link Reply with quote
 
Lesley Clayton
France
Local time: 00:43
French to English
+ ...
TOPIC STARTER
Symptoms May 9, 2004

Apparently, Sasser only infects Win 2000 and XP. According to Microsoft, one of the symptoms is that the operating system keeps shutting down, but the computer I am trying to sort out doesn't have that problem.

This computer is at my local 'mairie' and is open to the public for Internet access, although not many people use it. It is less than a month old and was working normally about a week ago.

The computer is working painfully slowly, no Internet sites can be accessed, but sending and receiving e-mails is possible. Word opens but doesn't work as it should (I didn't try any other programs).

Now I'm a bit prehistoric when it comes to computer problems but there's no-one else to sort this out quickly so I'm trying to do what I can to help.

I ran the antivirus first and it found the Welchia E worm, which I quarantined. I then tried to update the antivirus but the files wouldn't all download. As I still couldn't access any site to do an online virus scan or repair, I searched the Net from my computer at home.

I found a virus removal program called called Stinger (made by McAfee) at http://vil.nai.com/vil/stinger/ which I downloaded and then burned onto a CD. I ran this on the computer at the 'mairie' and it found 29 files infected with the Sasser worm, which I deleted. After that,I did manage to access a couple of sites, but it was extremely slow and didn't last long before I couldn't access any sites again.

I went back home to do some more research on this Sasser thing that I'd never heard of, only to find that half the world seems to be infected!

I've printed out the instructions on the Microsoft site and will try them out on Monday. I will then check the firewall and update the antivirus.

My own computer (XP) hasn't been infected and I think it may be because my firewall is activated.

If anyone else has anything useful to add I would be very interested, as this is the first virus-infected computer I've ever had to deal with.


Direct link Reply with quote
 

Natalie  Identity Verified
Poland
Local time: 00:43
Member (2002)
English to Russian
+ ...

MODERATOR
Hi Lesley, maybe this information could help: May 9, 2004

SOPHOS ISSUES FREE REMOVAL TOOL FOR SASSER WORM

Sophos has released a free removal tool which
disinfects computers infected by the fast-spreading
Sasser internet worm (W32/Sasser-A and W32/Sasser-B).

The Sasser worm does not spread via email, but exploits
a critical security vulnerability in versions of Microsoft
Windows.


If you are infected by the Sasser worm and wish to download
the free removal tool, or want more information about the
Microsoft security vulnerability it exploits, visit:

http://www.sophos.com/virusinfo/articles/sasser.html


Further information from Microsoft about the Sasser worm
and the security vulnerability can be found at:

http://www.microsoft.com/security/incident/sasser.asp
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx


Home users who do not know if their computers are running
the latest Microsoft security patches should visit the
Microsoft WindowsUpdate website:

http://www.windowsupdate.microsoft.com


PCs which are secured behind properly configured firewalls should not be affected by the Sasser worm.

More info can be found at http://www.sophos.com/

[Edited at 2004-05-09 22:03]


Direct link Reply with quote
 

Ralf Lemster  Identity Verified
Germany
Local time: 00:43
English to German
+ ...
Win9x systems can be infected, too... May 9, 2004

...as you found out on the system you're analysing.

Apparently, Sasser only infects Win 2000 and XP. According to Microsoft, one of the symptoms is that the operating system keeps shutting down, but the computer I am trying to sort out doesn't have that problem.

Close, but not quite correct: the various variants of the Sasser worm can infect Win9x/WinME systems, and can spread from there, but its payload won't be effective on these machines: the shutdown behaviour will only occur under Win2k/XP.

This computer is at my local 'mairie' and is open to the public for Internet access, although not many people use it. It is less than a month old and was working normally about a week ago.

The timing is suspicious, as Sasser was starting to spread last weekend.

I ran this on the computer at the 'mairie' and it found 29 files infected with the Sasser worm, which I deleted.

Did that program also remove the worm?

After that,I did manage to access a couple of sites, but it was extremely slow and didn't last long before I couldn't access any sites again.

The worm might well still be active, trying to spread by scanning other machines on the web.

My own computer (XP) hasn't been infected and I think it may be because my firewall is activated.

Spot on.

More info, including a removal tool, is available from Symantec.

Small consolation: the author of "Sasser" - an 18-year old college student from northern Germany - was arrested yesterday, and has admitted that he developed and spread the worm...

HTH, Ralf


Direct link Reply with quote
 
Lesley Clayton
France
Local time: 00:43
French to English
+ ...
TOPIC STARTER
Thank you Natalie and Ralph May 9, 2004

Thanks for those very useful links Natalie,
particularly the Sophos one with the removal tool.


Hi Ralph,

Thank you too.

Ralf Lemster wrote:

The timing is suspicious, as Sasser was starting to spread last weekend.


I'm not sure about the exact timing.

Did that program also remove the worm?


I think so, Stinger says it is a virus/worm remover, not just a detector.

The worm might well still be active, trying to spread by scanning other machines on the web.


If the worm was removed, I suppose it's possible that the computer got re-infected almost immediately before I could download the patch from Microsoft. I didn't think to run the program again.

Small consolation: the author of "Sasser" - an 18-year old college student from northern Germany - was arrested yesterday, and has admitted that he developed and spread the worm...


I think his punishment should be to explain himself to every single person individually who has physically suffered through delays in medical treatment caused by his actions, and fully reimburse everyone who has suffered financial loss. Then the men in white coats can have him!

Thanks again to you both,
Lesley


Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

What to do if your computer has been infected by Sasser

Advanced search






SDL Trados Studio 2017 Freelance
The leading translation software used by over 250,000 translators.

SDL Trados Studio 2017 helps translators increase translation productivity whilst ensuring quality. Combining translation memory, terminology management and machine translation in one simple and easy-to-use environment.

More info »
PerfectIt consistency checker
Faster Checking, Greater Accuracy

PerfectIt helps deliver error-free documents. It improves consistency, ensures quality and helps to enforce style guides. It’s a powerful tool for pro users, and comes with the assurance of a 30-day money back guarantee.

More info »



All of ProZ.com
  • All of ProZ.com
  • Term search
  • Jobs