It has now been confirmed that Sasser is indeed a problem for many users, and it is now a sixth or seventh generation variant. Fortunately, they can all be deleted using the same method. This article will teach you how to remove by hand, how to remove it by tools, and how to prevent it from re-infecting. Sasser is a denial of service attack that threatens all versions of Windows 2000 and Windows XP in addition to the 64-bit version of XP. These Windows systems have a well-known vulnerability LSASS, a buffer overflow in the local security authorization system service. However, only Windows 2000 and XP operating systems are vulnerable to shock waves. Older versions of Windows can run shockwaves, but the system won't be infected unless you specifically load the worm code onto your PC. The current situation
Although the German police have seized the people who made and spread the worms, the infection itself continues to cause enormous damage, because it even infects unattended systems, and it will continue to Infect the system until the system patches potential vulnerabilities. However, this is a big challenge because the infected system will keep restarting, making it impossible for infected machines to download patches or browse the web to find a solution. In addition to having a properly configured firewall (blocking TCP ports 445, 5554, and 9996) in place, using the patch provided in Microsoft Security Bulletin MS04-011 is the only way to protect the system from re-infection. There are so many systems that still have vulnerabilities because many users don't have good experience installing patches. Microsoft Knowledge Base article 835732 contains known issues with this patch, including the complete shutdown of some Windows 2000 systems due to system processing behavior, and the inability of some users to log into Windows after the system is patched. Oracle has problems with the already patched W2K system. For the XP system that has been patched, the only major problem is the inability to view some of the graphics files created with Adobe Illustrator. Getting Ready
Deleting a shock wave is a process that requires multiple steps to implement. The first issue is how to stop a computer that is constantly restarting automatically, so that it can be long enough to download patches and/or downloads. Remove the tool. The following is a list of how Symantec listed the removal of all versions of Sasser from A to F. Remember, it takes about 20 seconds to complete the steps below. 1. Disconnected from the Internet. 2. Restart. 3. At startup, click “Run” on “Start” as soon as possible, and enter “CMD” to open the command line interface. 4. Enter shutdown – i at the DOS prompt and press Enter. This opens the Control Panel for remote management of other systems on the network, but now you need to enter the name of your computer. 5. Click "Add", enter your name, and click "OK". 6. Now change the delay setting of the warning message from the standard 20 (seconds) to a large number such as 9999. If you are willing to reset the delay time of the warning message after patching. This will temporarily disable the shutdown sequence, giving you enough time to log in to the Internet and download patches. For many users, what makes them wonder is that their machines are not connected to the network. Why do their systems have names? The names of the systems are either assigned by users with administrator privileges or automatically generated. To find the name of your computer, open the Control Panel and click on the "System" icon. Since you must complete the steps on the bulletin board in 20 seconds or less, you must determine the name of your system before starting these procedures. For the method of stopping the periodic restart on XP system, Microsoft's instructions for use tell you to just type shutdown.exe -a at the command prompt. If this command is in effect, the system will terminate the shutdown process more quickly. The above steps are not necessary if you can download and install the patch. They are not part of the technique described below for removing the shock wave process. Remove
You can download a removal tool from the websites of Symantec, F-Secure and other anti-virus providers. Microsoft also has detailed operating instructions and an automated testing tool on the page that proves that you are infected with the Sasser virus and can remove the virus. If you get one of these automatic removal tools, it will stop the reboot process, delete the worm file, clear the registry and use this tool to remove the Sasser virus. To take a step back, it would be quite cumbersome to use a manual process. Because some systems are so tightly connected to the Sasser process that your computer is no longer available, even if you are using a removal tool, the following manual removal steps (ending a malicious process) may still be necessary. You can open the task manager and find avserve2.exe, avserve.exe, skynetave and any process that starts with a short character string followed by _up.exe (for example, XXXXX_up.exe), then select the names of these processes and click " End the process" to terminate them to improve system performance. Since XP has automatic system storage features, this feature should also be turned off before any worms or viruses are removed, as this is a backup tool that will keep an infected backup if it continues to run. Symantec has a complete description of the steps required, but the basic steps are to check to see if the Shut Down System Storage feature is turned off in the System dialog box in Control Panel. Manual deletion requires you to delete all files that are considered by the antivirus program to be related to the shock wave. The registry has been changed by Sasser, which means you will need to remove avserve2.exe" from HKEY_LOCAL_MacHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run"="%Windir%\\avserve2.exe variants continue
Newsfactor.com The company has reported a new infection, Dabber (package.exe) attacks the computer through the shock wave, removes the shock wave worm and turns the computer into a server and sets a secret back door on the computer. Instructions for removing Dabber have been found on Symantec, Trend Micro, Panda Guardian and other anti-virus provider websites. Variant E
Symantec reports that the variant E of the shock wave is different from W32.Sasser in that: the name of the process is SkynetNotice, the name of the file is lsasss.exe, and the name is again avserve in the registry line. To replace. You also need to block the ports 1022 and 1023 of the firewall. And instead of looking for the XXXXX_up.exe file, look for the XXXXX_update.exe file. Variants F
The variant F of the shock wave is also slightly different from the previous version. The name of the process is billgate, and the name of the shockwave file is napatch.exe, which is also used in the registry.