| Antivirus | Spyware & Adware removal | Registry Cleaner | Windows updates | Web Protection |

    ¤ Solutions
 »  Security Main Page
 »  Virus Removal
 »  Spywares Removal
 »  Trojans Removal
 »  Our Forums
 »  Our Blogs
    ¤ Populer Threads
 »  Remove fake Antivirus
 »  Rmov SpywareGuard 2008
 »  Remove Sinowal trojan
 »  Remove Virtumonde
 »  Remove Vundo troajn
 »  Google Search redirect
 »  Trojan Downloader
 »  Trojan Dropper
 »  Trojan Generic
 »  Worm32 NetBooster
 »  Zlob trojan removal
 »  Generic Host Proccess
 »  Remove Winweb Security
 »  Virus Trigger Removal
 »  Spyware CyberLog-x
 »  Cookies - 207.net
 »  AdWare.Adrotator
 »  See Other virus removal
    ¤ Tweaks
 »  Proxy Sites
 »  Computer & Internet
 »  Folder Lock
 »  Hack Windows Admin
 »  Windows Utilities - Tips

    ¤ Downloads
 »  Super Anti Spyware
 »  MalwareBytes
 »  Threat Fire
 »  Anti Viruses
 »  Firewalls
 »  Registry Cleaners
 »  See all Downloads

 
Removing Win32 Sasser.Worm
W32-Sasser Worm

Also Known As:
W32/Sasser.worm (McAfee)
W32.Sasser.Worm (Symantec)
WORM_SASSER (Trend Micro)
Win32.Sasser (CA)
Sasser (F-secure)
Sasser (Panda)
W32/Sasser (Sophos)
W32/Sasser (Norman)

Summary
Win32/Sasser is a family of network worms that exploit the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011. The worm spreads by randomly scanning IP addresses for vulnerable machines and infecting any that are found.

Symptoms
Your computer may be infected with Win32/Sasser if you experience one or more of the following symptoms:
  • You see an LSA Shell crash dialog box
  • Your computer restarts every few minutes without user interaction. You may see a system shutdown dialog box, like the one (snap) below:
    • Remove W32 Sasser worm. prevent system auto shutdown
  • Your computer performance is decreased or your network connection is slow.



    • Technical Information
    When Win32/Sasser runs on a computer, it copies itself to the %WINDOWS% folder. In most cases, it adds a value to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. This value causes the worm to start when Windows is started.

    Win32/Sasser acts as an FTP server listening on TCP port 5554. For each connection made on this port, the worm sends a copy of itself to that connected host using the file name _up.exe.

    The worm generates random IP addresses using a certain logic and then sends the exploit shell code to these IP addresses on TCP port 445. If the exploit is successful, a command line shell listens on a TCP port of the remote infected machine. To complete the infection, the worm executes a remote shell script that instructs the newly infected machine to connect to the infecting host and download and execute the worm through FTP. The worm records the count of successful infections to a file on the C: drive.

    Win32/Sasser also attempts to abort any unexpected system shutdown by calling AbortSystemShutdown every several seconds in a continuous loop.

    Later variants of the worm may drop a variant of Netsky worm. Later variants may not infect Windows 2000 because they import IcmpSendEcho from IPHlpAPI.dll, which is not present in Windows 2000.

    This Malious Software can be removed using MICROSOFT MALICIOUS SOFTWARE REMOVAL TOOL

    download microsoft malicious software removal tool



    Custom Search

     

     
     
    eXTReMe Tracker
    		Anti Virus - Spyware Removal - Trojan Removal - Registry Repair

             About DARFUN INC © Copyright darfuns.com
                     DARFUN CORPORATION. 2004 est