The virus copies itself to the Windows directory as avserve2.exe and creates a registry run key to load itself at startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "avserve2.exe" = C:\WINDOWS\avserve2.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win2.log is created on the root of the C: drive. This file contains an IP address.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:\WINDOWS\system32\11583_up.exe
c:\WINDOWS\system32\16913_up.exe
c:\WINDOWS\system32\29739_up.exe
-

Manual Removal Instructions To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode

(hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.


Delete the file AVSERVE2.EXE from your WINDOWS directory
(typically c:\windows or c:\winnt)

Edit the registry

Delete the "avserve2" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Reboot the system into Default Mode

Registry Removal Editing:

Windows98/ME/NT/2000/XP


1. Click the START button, then RUN
2. Type REGEDIT and hit ENTER

http://vil.nai.com/vil/SystemHelpDocs/images/Regedit1.gif

3. Click the + signs next to the desired folder to expand the folder tree branch

http://vil.nai.com/vil/SystemHelpDocs/images/Regedit4.gif

4. Once the desired folder path is visible, double-click on the value name on the right side of the screen (Default in this case)

http://vil.nai.com/vil/SystemHelpDocs/images/Regedit5.gif

5. Enter the desired value and click OK
6. Exit the Registry Editor by clicking on the X in the upper right corner of the Window

7. reboot into normal user mode



Don't format...

Remove it, update Windows and her AV application DAT files...

then scan that sucker...

and do it again...

Yeah..ok, I''m jumping ships.....Listen to John

any ray of hope, is worth trying



[Message Edited]

Unfortunately, John...the sasser bug doesn't appear to be the only thing she has. Besides that, the floppy I told her to create will do the same thing.....although I personally think it will be to no avail...

BTW: you been in the bathroom all this time??

Great....huge ass jumps ship........

Like your ass is any better!

na, just kind of off in never never land. Boomer jumped on me from behind tonight while out front and I took some pain killers. kinda prone now and not doing any graphics for a change.

If she's all messed up on the drive, she should probably go ahead and dink the sasser. then burn a cd of her data files she does not want to lose. She can scan those files if she decides to put them back on the drive after format, reinstall of XP, then AV "Carolelee, she wants that AV installed and functioning before even connecting to the net" then doing the XP updates.

Boomer jumped on me from behind

...seems to be a lot of 'ass' problems going around tonight...

yeah if it was my ass, he'd be the one laid up

wrenched my neck and lower back, never should have taught him to jump over my arm held at shoulder height while I am standing up. Frisbee though, tis key to a happy pup and a good time on the beach

IPlural, I don't have the worm(my system is totally up-to date)my sister Donna is the one with the huge problem(love them kids) When I phone her later, I will tell her to take her puter to a puter store and get it reformated. This thing is stopping every thing she tries to do and if it has a partner in crime going along with it........there's no chance in h... for a novice puter user to rid these things. Thanks for trying I will instruct Donna over the phone later and we will give it a go(your instructions) but as Gary said.....it most likely won't happen. This is a hard lesson for anyone who doesn't have that patch. All I can say is, UPDATE, UPDATE, UPDATE.......there, I feel better now! Thanks, you guys are the best

That 18 year old they nabbed for Sasser should get exactly 1 day's jail for each computer he screwed......at last count that's about 3 or 400 years....

now that would be justice wouldn't it

carolelee, something you and everyone including your sister wants installed and running is a registry monitor. Anything that might make it past all other security measures will be caught out as it attempt to modify the registry this way. You can at least stop the final part of a system highjack this way.

I personally have run a number of these utilities but pretty much stick with two running active while using a third to keep my registry in order which I run at least 4 times a month and the fourth I run at least once a month.

Startup Orginizer ( MetaProducts ) runs upon boot up, if anything has modified or attempted to modify the registry and rebooted the system before SO could do anything about it. SO loads up and scans the registry before each item is loaded and upon seeing a change it *asks* you if you wish to allow the change or do you wish to remove it.

AdAware Pro ( Lavasoft ) The Pro version has an active ( seperate application ) Monitor for registry changes.

Spybot Search and Destroy ( freeware ) works well, though I do not run it on a regular basis because active updates can be a slight bother so I run it at least once a month.

SystemMechanic Pro 4.x ( Iolo ) I run this once a week or more to keep my registry compact and clean of trash which lends to a faster system.

The Registry is basically a Database file and as such needs to be re-indexed and compressed to optimized query operations. Bad pointers to missing or corrupt info will drag a Database to it's knees. Then same thing goes with the Windows Registry, when you click upon anything that references the Registry it takes the time to find the references needed and then it loads them. If it is stuck seeking out bogus info, broken links, missing data it will be wasting time and also be slowing down the system while doing this.

anyway...

some thoughts is all

Good point IP. I used to run one when I had Win98, but haven't since I got XP, probably time to run one again

I agree with all of you, as I run all things you mentioned lP. My sis's boyfriend removed their AdAware and Spybot S&D because he thought they were clashing with some downloads It was also just discovered my sis's 14 year old daughter ignores all the updates from Microsoft(she admitted it) So my hope is, my sister pays more attention to that computer and all who play on it She is now driving me nuts and wants me to help get her running again.........ha....good luck, this sucker has a good grip on her system and I'm no expert! What you said Jafo, I agree 100%, throw away the key and he should be made to pay for all the puters he damaged >

Malicious destruction...vandalism....is nothing more than urban terrorism. This Virus creator exposed people to 'physical' injury, beyond the capacity of most to overcome. I'd personally split his fingernails and slit his nostrils and feed him to the dogs...but then I'm a nice, conservative fellow...

I like your thought on this little scum, another way is to hang him up by his short&curlies

I like the idea of him spending a day in jail for each computer he borked. Even if he just had to do an hour of community service, real service...not that roadside trash pick-up crap, but something that benefits folks less fortune, for each bugged up PC, I bet he still be looking at 50+ years.

What they should do, is make him work on Internet security at slave wages for the next 15 years. And during this time, if he isn''t productive, then we hurt him.

That 18 year old they nabbed for

New Sasser version may be circulating
German suspect apparently released it before arrest

http://www.msnbc.msn.com/id/4944667/

For anyone who thinks they have this or might think about getting one of these, go here http://www.microsoft.com/security/incident/sasser.asp run the scan in step #3(or download it because sasser will take your connection south). If you're not sure if you have the patch for the original, look in 'Add/Remove Programs' for Hotfix 835732. No one is quite sure what's in the newest variant or if, in fact, this idiot released it prior to getting jailed. Stay tuned...

The computer store will be able to run a virus cleaner on it without reformatting.  You don't want her to reformat unless she has to since she will lose everything.  Most computer places will be able to clean the computer without a reformat.

I haven't read all of this, but if she can get to safe mode, she can kill all the worm processes then get to McAffee online and get it cleaned off.  McAffee can scan and remove from remote unlike Norton.  I ended up with McAffee after an internet worm got my home PC.  The worm hijacked Norton's online connection, so Norton couldn't update to fix the worm.  McAffee was the only way that we could get rid of it.

Thanks KarmaGirl for your help, I will let my sister know(she bought her computer at Radio Shack and they did offer to clean it for her for a small fee) I did guide her through safe mode(via telephone) and it wouldn't change anything This worm and possible buddies have a good grip on her system, but I'm sure it will be eliminated.......thanks

BTW, Norton was kicked out of her system by Sasser. Wow, what a nasty bugger!! >