Hi everybody,
I spent probably 4 hours out of my 6 hour shift tonight (at least) working on Sasser worm problems. Thus I feel it necessary to take it upon myself to make a PSA, if you will, about sasser. What it is, what can be done to prevent it, and what to do if you already have it.
First of all let me climb up on my soap box and say that if you do end up calling in for tech support please be nice to the tech support agent. At my call center we were never less than 30 in queue (That means 30 people on hold waiting for an agent) and most the night we were between 200-300 waiting for an agent. You may be stressed, but the agent is stressed too. Realize the pressure is on to fix people's problems (so they don't have to call back) while keeping them happy (so they don't cancel their service) and, oh yeah, could you hurry it up--there are 300 other people waiting in line for advice.
Off the soapbox, onto the advice.
What SASSER is, and how does it relate to BLASTER?
Sasser is a worm similar to BLASTER. BLASTER popped up a box that shut your computer down via a hold in the Remote Call Procedure. SASSER does it through the LOCAL SECURITY AUTHORITY. If your computer is getting shutdown upon connection to online by a long, rectangular box that is from "Remote Call Procedure" that's Blaster. "Local Security Authority" is SASSER.
How do I prevent it?
Windows Updates. Buck it up and do them. Even on dialup. It's going to save you time in the long run. check back every couple of weeks and stay up to date on your patches. Will it prevent all virusses? No, but patches were released to prevent BLASTER and SASSER before the virusses were in the wild.
But I already have it? What now?
SASSER can be removed in 3 easy steps
1. Turn on a firewall. In Windows XP this is fairly simple (You're all using Windows XP right?)
--Start:Control Panel
--Switch to Classic View (On the left).
--Network Connections
--Look for icon for LAN or "MSN" or "AOL" "EARTHLINK" "JUNO" or whatever. Right click on the icon and say "Properties"
--Click the "Advanced" tab
--Put a check in "Protect my computer"
--Click OK.
--Close control panel
2. Stop the blaster process
--Ctrl+Alt+Delete. This should bring up the task manager. Click "processes" and then click the "Image Name" header twice to sort the processes A to Z
--End the processes "avserve.exe" and/or "avserve2.exe" as well as any processes that are 4 to 5 numbers followed by "_up.exe" as in "7623_up.exe"
--Close task manager
3. Get online using the firewalled connection. Hopefully SASSER doesn't shut you down. If SASSER pops up pull up your system time (Double click on the time in the corner) and set the date back 1 day. This will give you 24 extra hours to do what you need to do. Setting back the date/time is only effective after SASSER has popped up to shut you down.
4. Run all your windows updates. Buck up and do it. Keep up to date on them from now on.
5. Run the SASSER removal tool
That should fix you up! Any questions?
I spent probably 4 hours out of my 6 hour shift tonight (at least) working on Sasser worm problems. Thus I feel it necessary to take it upon myself to make a PSA, if you will, about sasser. What it is, what can be done to prevent it, and what to do if you already have it.
First of all let me climb up on my soap box and say that if you do end up calling in for tech support please be nice to the tech support agent. At my call center we were never less than 30 in queue (That means 30 people on hold waiting for an agent) and most the night we were between 200-300 waiting for an agent. You may be stressed, but the agent is stressed too. Realize the pressure is on to fix people's problems (so they don't have to call back) while keeping them happy (so they don't cancel their service) and, oh yeah, could you hurry it up--there are 300 other people waiting in line for advice.
Off the soapbox, onto the advice.
What SASSER is, and how does it relate to BLASTER?
Sasser is a worm similar to BLASTER. BLASTER popped up a box that shut your computer down via a hold in the Remote Call Procedure. SASSER does it through the LOCAL SECURITY AUTHORITY. If your computer is getting shutdown upon connection to online by a long, rectangular box that is from "Remote Call Procedure" that's Blaster. "Local Security Authority" is SASSER.
How do I prevent it?
Windows Updates. Buck it up and do them. Even on dialup. It's going to save you time in the long run. check back every couple of weeks and stay up to date on your patches. Will it prevent all virusses? No, but patches were released to prevent BLASTER and SASSER before the virusses were in the wild.
But I already have it? What now?
SASSER can be removed in 3 easy steps
1. Turn on a firewall. In Windows XP this is fairly simple (You're all using Windows XP right?)
--Start:Control Panel
--Switch to Classic View (On the left).
--Network Connections
--Look for icon for LAN or "MSN" or "AOL" "EARTHLINK" "JUNO" or whatever. Right click on the icon and say "Properties"
--Click the "Advanced" tab
--Put a check in "Protect my computer"
--Click OK.
--Close control panel
2. Stop the blaster process
--Ctrl+Alt+Delete. This should bring up the task manager. Click "processes" and then click the "Image Name" header twice to sort the processes A to Z
--End the processes "avserve.exe" and/or "avserve2.exe" as well as any processes that are 4 to 5 numbers followed by "_up.exe" as in "7623_up.exe"
--Close task manager
3. Get online using the firewalled connection. Hopefully SASSER doesn't shut you down. If SASSER pops up pull up your system time (Double click on the time in the corner) and set the date back 1 day. This will give you 24 extra hours to do what you need to do. Setting back the date/time is only effective after SASSER has popped up to shut you down.
4. Run all your windows updates. Buck up and do it. Keep up to date on them from now on.
5. Run the SASSER removal tool
That should fix you up! Any questions?