This is my tutorial on how to detect and remove W32.Sasser Worm this can also be found at www.antionline.com
I went to work today from 8:00am to 4:00pm its typically slow on Sundays but it was slammed today call after call seems like every customer was getting infected with this nasty worm. Getting whats known as Log/nosurf (means you can connect but cant display webpages) hence the name log/nosurf. Also getting error messages like 'desktop over quota, RPC, NT AUTHORITY, systems counting down, rebooting, deleting applications etc...
So heres a short tutorial on how to detect it, un-install it, and remove it from your PC. Enjoy.
type: virus, worm
infection length 15,872 bytes
Systems affected - Windows 2000,XP, Windows Server 2003,
Systems not infected - Linux, MAC, Novell Netware, OS2, Unix
W32. Sasser worm is a worm that attempts to exploit ms04-11 vulnerability. It spreads by scanning randomly choosen IP address for vulnerable systems.
Attempts to connect to random generated IP addressess on TCP port 445. If a connection is made to a computer, the worm sends shellcode to that computer which may cause it to run a remote shell on TCP port 9996.
The worm then uses the shell to cause the computer to connect back to the FTP server on port 5554, and retrieve a copy of the worm. This copy will have a name consisiting of 4 or 5 digits followed by _up.exe (example 31337_up.exe)
How to remove it
1. Make sure you connect to the internet with some form of protection like enabling Internet Connection Firewall( ICF).
2. Press control + alt + delete to bring up Windows Task Manager.
3. Click process tab
4. Double click 'image name' to sort the processes.
5. Look through the list and try to find avserve.exe & avserve2.exe or any process with a name consisting of 4 or 5 digits followed by _up.exe
If you find one , click it, and then click end process.
6.Exit the Task manager.
To download the tool instantly and completely remove this nasty worm can be found at http://vil.nai.com/vil/stinger
When done, reboot PC and make sure to visit micrsoft.com for the latest updates, patches Hope this helps, Liquid31337