Back in 2004, Sasser, one of the most "famous" computer worms ever made was creating havoc through to world of Windows based PC's. During the summer of that year, I was based (although temporarily) in my home-town Bucharest. Just started studying for the CCNA exam that I've planned to take at the end of July.
Incoming long nights, studying, playing a bit of video games (Max Payne) and drinking unhealthy amounts of Coke/Pepsi. During that period, a lot of days were spent on a (new defunct) technology forum: www.chip.ro.
I was an avid poster and replier in their security sub-forum. On one of the latest posts I've notice "the rise" of Sasser. People were complaining of not being able to get rid of it, continues restarts and basically having a useless Windows PC.
I've started checking solutions on the international forums. In order to understand what this worm did to your computer, here is a quick brief:
"Sasser is a computer worm that affects computers running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Sasser spreads by exploiting the system through a vulnerable port. The most characteristic experience of the worm is the shutdown timer that appears due to the worm crashing LSASS."
The damage it has done internationally was even bigger:
"The effects of Sasser included the news agency Agence France-Presse (AFP) having all its satellite communications blocked for hours and the U.S. flight company Delta Air Lines having to cancel several trans-atlantic flights because its computer systems had been swamped by the worm. The Nordic insurance company If and their Finnish owners Sampo Bank came to a complete halt and had to close their 130 offices in Finland. The British Coastguard had its electronic mapping service disabled for a few hours, and Goldman Sachs, Deutsche Post, and the European Commission also had issues with the worm. The X-ray department at Lund University Hospital had all their four layer X-ray machines disabled for several hours and had to redirect emergency X-ray patients to a nearby hospital."
The solution to disinfect yourself was pretty simple:
"The worm may be removed by running regedit.exe and navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. There, the user must remove the avserve2.exe string. Next, the user must terminate avserve2.exe in task manager. Next, the user must navigate to C:\ and delete win2.log. Finally, the user must navigate to C:\Windows and delete avserve2.exe and reboot. After a reboot, the user's PC will no longer be infected with Sasser."
Now, I knew the solution and managed to help-out some of the forum users but I was also curios to test the worm on "myself". Yes, self infection as it is called. Managed to grab a copy of the worm from VX Heaven.
In a couple of seconds I've started the see the famous LSASS.exe crash with the countdown:
Quickly accessed the run command, typed cmd and entered shutdown /a. The shutdown counter stopped and everything was back to "normal". I was still infected with the virus, but as long as I didn't reboot the PC, I could move on and disinfect myself:
"The worm may be removed by running regedit.exe and navigating to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. There, the user must remove the avserve2.exe string. Next, the user must terminate avserve2.exe in task manager. Next, the user must navigate to C:\ and delete win2.log. Finally, the user must navigate to C:\Windows and delete avserve2.exe and reboot. After a reboot, the user's PC will no longer be infected with Sasser."
Bottom line, it was a nice experience to have :). From then on, I've started creating my own "lab" in order to test viruses and worms, but that's a story for another blog post.
