Results 1 to 33 of 33

Thread: Stop Sasser or Similar by killing the source (Resolved)

  1. #1

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Resolved Stop Sasser or Similar by killing the source (Resolved)

    Hello, I hadn't been here for a long time... But please let me explain what I am trying to do.

    The problem is that there is an old computer with Windows 2000. The computer's hard disk has problems and it was divided in two partitions, the one that has the Operative System is not damaged and has 100 MB of free space, the other one is damaged and it won't allow to be formatted nor to install the OS on it.

    This old computer doesn't have space for installing the second service pack and is needed to be on the net. Whenever it comes on-line it crashes because of a behavior that is similar to the Sasser virus: It generates a random IP and if the IP is valid it tries to connect using FTP. The computer has Antivir and ZoneAlarm to avoid viruses from stepping in and taking control.

    I was wondering if there is a way to find the process that is generating the random IPs and stop it before it makes the computer crash (it makes lsass.exe come up with an error message and no internet activity will be able to be performed after this and then forces the computer to restart by shutting down the system)... Something like using the API to find a process and then force it to be closed.

    Could you please help me with some suggestions? I was thinking to have a background program that would detect when cmd.exe is running and then force it to be closed... But I don't want the program to cause the computer to be slower to the point that nothing can be done with it.

    Thanks for taking your time to read my problem and to all of you who would go further and try to help me.
    Last edited by Tec-Nico; Aug 12th, 2005 at 01:35 PM.
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  2. #2
    Elite Hacker Jacob Roman's Avatar
    Join Date
    Aug 2004
    Location
    Miami Beach, FL
    Posts
    5,349

    Re: Stop Sasser or Similar by killing the source

    It could be spyware rather than a virus. But what I would do is this. Ok first of all, do you have access to any programs that detect and control what programs autorun in your computer?

  3. #3

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    No, I don't have any. I have SpywareBlaster and SpyBot. I have checked the registry and there are some programs there in "Run"... WinSys32Firewall looks suspicious to me but I haven't been able to find it.

    (Oh, and thank you for taking your time for trying to help me. I am right now using the computer I told you about. So if it takes me 15 minutes or more to answer is because I had to restart)
    Last edited by Tec-Nico; Jul 31st, 2005 at 06:46 PM.
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  4. #4
    Elite Hacker Jacob Roman's Avatar
    Join Date
    Aug 2004
    Location
    Miami Beach, FL
    Posts
    5,349

    Re: Stop Sasser or Similar by killing the source

    Then you do if you have Spybot Search & Destroy. Open the program. Click on the Tools button located in the bottom left hand side. Next click on System Startup. Those are your programs that autorun when you bootup windows. Depending on the program you click on, you will get an info window on that program that tells you if its suspicious or whether you need it or not. Then you can enabled/disable whatever programs you want to autorun, or even delete it.

    The only program you need to autorun is Explorer.exe

  5. #5

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    You forgot to tell me it needed to be in advanced mode.
    Anyway, that's the same than messing with the registry, isn't it?

    Do I need to click on "Export"?
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  6. #6
    Elite Hacker Jacob Roman's Avatar
    Join Date
    Aug 2004
    Location
    Miami Beach, FL
    Posts
    5,349

    Re: Stop Sasser or Similar by killing the source

    Nope. Just enabled or disable what you want to autorun. Don't worry. This worked for me last time my computer was messed up

  7. #7

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    Very good.. But I don't know if it will work or not until I spend more time on-line.
    Thank you for your help and I hope this is the solution, because I am getting tired of restarting this computer.
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  8. #8
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    Try NETSTAT /? It will list PID's of apps that are using ports. Try the -b option to show .exe names. The -an option is also good. XP SP2 has -o also.
    Also, I have W2K Workstation, and think I'm up to SP6.

  9. #9
    Elite Hacker Jacob Roman's Avatar
    Join Date
    Aug 2004
    Location
    Miami Beach, FL
    Posts
    5,349

    Re: Stop Sasser or Similar by killing the source

    Anytime. If there's still a problem, let me know. I may have some ideas up my sleave.

  10. #10
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    Once you're online, go to www.trendmicro.com and use their Online Virus Checker.

  11. #11

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    Thank you, Jacob and David. I will try to see which exes are running and to know if I have a virus but so far, I did what Jacob told me to and I haven't had any problem so far.

    But I can't say this problem has been solved yet...
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  12. #12
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    It might be time to invest in another hard drive. If one partition falied, that could mean that the other is close to dying. Load W2K onto the new one, and then add the old drive to copy your data. Make sure that you have a few extra accounts with admin privileges so that you can get back into it.

  13. #13
    Elite Hacker Jacob Roman's Avatar
    Join Date
    Aug 2004
    Location
    Miami Beach, FL
    Posts
    5,349

    Re: Stop Sasser or Similar by killing the source

    Harddrives are pretty cheap these days. I think I saw a 250 Gig one for $80 over on www.tigerdirect.com

  14. #14

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    David, it seems i don't have -b option:

    Displays protocol statistics and current TCP/IP network connections.

    NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

    -a Displays all connections and listening ports.
    -e Displays Ethernet statistics. This may be combined with the -s
    option.
    -n Displays addresses and port numbers in numerical form.
    -p proto Shows connections for the protocol specified by proto; proto
    may be TCP or UDP. If used with the -s option to display
    per-protocol statistics, proto may be TCP, UDP, or IP.
    -r Displays the routing table.
    -s Displays per-protocol statistics. By default, statistics are
    shown for TCP, UDP and IP; the -p option may be used to specify
    a subset of the default.
    interval Redisplays selected statistics, pausing interval seconds
    between each display. Press CTRL+C to stop redisplaying
    statistics. If omitted, netstat will print the current
    configuration information once.
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  15. #15

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    Thank you, guys... But I can't get a new hard drive for this computer because it is a laptop. I am thinking about buying a new one but that would have to be until next month when I get paid, so I need to deal with this right now until then.
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  16. #16
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    The -a option should show what you need. Try them out. It may take a second or two, but none will cause harm.

    NETSTAT is Network Statistics

  17. #17

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    thank you.. but sadly i still have the same problem.. what can I do?
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  18. #18
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    What does NETSTAT tell you? Something is using the port.

  19. #19

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    this is what it tells me:

    D:\>netstat -a

    Active Connections

    Proto Local Address Foreign Address State
    TCP lonewolf:ftp lonewolf:0 LISTENING
    TCP lonewolf:http lonewolf:0 LISTENING
    TCP lonewolf:epmap lonewolf:0 LISTENING
    TCP lonewolf:https lonewolf:0 LISTENING
    TCP lonewolf:microsoft-ds lonewolf:0 LISTENING
    TCP lonewolf:1025 lonewolf:0 LISTENING
    TCP lonewolf:1026 lonewolf:0 LISTENING
    TCP lonewolf:1028 lonewolf:0 LISTENING
    TCP lonewolf:1031 lonewolf:0 LISTENING
    TCP lonewolf:1032 lonewolf:0 LISTENING
    TCP lonewolf:1801 lonewolf:0 LISTENING
    TCP lonewolf:3372 lonewolf:0 LISTENING
    TCP lonewolf:18350 lonewolf:0 LISTENING
    TCP lonewolf:1028 lonewolf:18350 ESTABLISHED
    TCP lonewolf:1030 lonewolf:0 LISTENING
    TCP lonewolf:2103 lonewolf:0 LISTENING
    TCP lonewolf:2105 lonewolf:0 LISTENING
    TCP lonewolf:2107 lonewolf:0 LISTENING
    TCP lonewolf:18350 lonewolf:1028 ESTABLISHED
    TCP lonewolf:netbios-ssn lonewolf:0 LISTENING
    UDP lonewolf:epmap *:*
    UDP lonewolf:snmp *:*
    UDP lonewolf:microsoft-ds *:*
    UDP lonewolf:1027 *:*
    UDP lonewolf:1029 *:*
    UDP lonewolf:3456 *:*
    UDP lonewolf:3527 *:*
    UDP lonewolf:netbios-ns *:*
    UDP lonewolf:netbios-dgm *:*
    UDP lonewolf:isakmp *:*
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  20. #20
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    Here is my system for

    netstat -a

    Active Connections

    Proto Local Address Foreign Address State
    TCP piii550:epmap piii550:0 LISTENING
    TCP piii550:microsoft-ds piii550:0 LISTENING
    TCP piii550:1025 piii550:0 LISTENING
    TCP piii550:1026 piii550:0 LISTENING
    TCP piii550:netbios-ssn piii550:0 LISTENING
    UDP piii550:microsoft-ds *:*
    UDP piii550:netbios-ns *:*
    UDP piii550:netbios-dgm *:*
    UDP piii550:isakmp *:*
    UDP piii550:4500 *:*
    It is a clean system with NAV running, and it is connected to my laptop as a wireless print server.

  21. #21

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    Then what do you suggest me to do?
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  22. #22
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    Did you try the online virus checker at trendmicro.com? It is pretty good.

  23. #23

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    yes, but it told me i couldn't do it if my IE wasn't 5.5 (and sadly, it isn't ever since i had to restore).. i tried to update to 6.0 but last time i did it told me the program was too big to fit the memory.
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  24. #24
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    I think I would attempt a repair, and if that didn't work, a reinstall of Windows

  25. #25

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    I have tried that 6 times this month. Also, I downloaded a tool that is supposed to get rid of the sasser and it says I don't have it. I also checked which were the sympthoms and the program that is the root of it. However, the problem is that there might be a virus that acts in a similar way...
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  26. #26
    Banned dglienna's Avatar
    Join Date
    Jun 2004
    Location
    Center of it all
    Posts
    17,901

    Re: Stop Sasser or Similar by killing the source

    I don't know. I have a W2K machine that is getting pretty full. Only 1/4 left on the only drive. Going to have to do something pretty soon.

    Try Avast! virus protection. I use it on my laptop. It is much quicker than NAV

  27. #27

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    Thank you, David.. I have been trying to download avast! but i haven't had good luck so far.
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  28. #28
    Hyperactive Member
    Join Date
    Sep 2002
    Location
    Okinawa, Japan
    Posts
    271

    Re: Stop Sasser or Similar by killing the source

    I had a similiar problem a few months ago. It wasnt the sasser, but another common one that I cant remeber what it was called.
    It was a program that kept redirecting my links, wouldnt let me update NAV, or let me view any virus protection web page. While I was or wasnt seaching the Internet, explorer would pop up at random times on different web pages. Running NAV and Spyware removal programs didnt detect it. Looking for running processes showed nothing suspecious.
    It ended up being several malicious programs. One of which job was to hide all the files that were mailicious from view, process list and from being seen in registery editor. It included a backdoor trojan that installed new malware and added it to the hidden process/file list.
    This one program hider was effective in stopping NAV from finding and removing the malware. This could be what is going on your computer.
    Sasser may indeed be there, if another program is hiding it then nothing you run will dected it.

    I had to use the Ultimate Boot CD, (google UBCD).
    Run registery editor from the CD and load the registery hives from the window2k root partition on C. I then found a few entries in the run key that were not there while the OS was running from C. Once these were removed, NAV was able to detect and remove most of the malware.

    Not sure that this is going to help you much unless you have XP CD, a requirement to build the UBCD. Maybe a friend that has XP can make one and come over to help you out?

    packetvb

  29. #29
    Elite Hacker Jacob Roman's Avatar
    Join Date
    Aug 2004
    Location
    Miami Beach, FL
    Posts
    5,349

    Re: Stop Sasser or Similar by killing the source

    So it was a stealth virus. I've heard of these.

  30. #30
    Hyperactive Member
    Join Date
    Sep 2002
    Location
    Okinawa, Japan
    Posts
    271

    Re: Stop Sasser or Similar by killing the source

    Jacob Roman,
    Yes. Ive ran across this one other time since then but it was not as effective as the one incident I described. Ive sent both to NAV.
    The problem is that these things are installed without the user knowing because of security holes in software. Most of the ones I have seen are by exploits in IExplorer.
    NAV and spyware removal programs cant catch them all because they rely on updated definitions and once the malware has launched that there is no definition for, then its too late.
    So I decided to create my own software to stop this kinda crap. I have created software that will alert the user any time any new executable tries to start up and lets the user decide whether to allow it to continue.
    Later I will have it look at the executables and notify the user if it look like a malicious program, based on what API's the program wants to call. Like an executable that has 2 or 3 api's only with one being GetProcAddress is a dead give away that its malicious.
    Wow Im rambling.

  31. #31

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    thank you for your help Jacob, packetVB and David. i still have problems and i can't get Windows XP to be installed in this computer due to the restrictions of the OS.. do you have any version of the program you are talking about packetVB?

    i use AntiVir and not NAV.
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

  32. #32
    Hyperactive Member
    Join Date
    Sep 2002
    Location
    Okinawa, Japan
    Posts
    271

    Re: Stop Sasser or Similar by killing the source

    Tec-Nico,

    It does seem odd that the computer acts like sasser is on it but cant remove it. I bet that its being hidden

    Your not installing XP on the computer. Your using UBCD, which is a bootable XP cd with tools on it, then running from there. To burn the UBCD you need the XP cd so the software can copy files from the XP cd to create the bootable UBCD cd.
    Or, do you have the option of putting the hard disk in a second machine that already has a clean OS? If so you can run regedt32 and load the hive from the infected disk.

    let me think more about it.

  33. #33

    Thread Starter
    Frenzied Member Tec-Nico's Avatar
    Join Date
    Jun 2002
    Location
    México
    Posts
    1,192

    Re: Stop Sasser or Similar by killing the source

    Thank you for your help, guys. PacketVB, I am sorry but I don't have anyone who could lend me that CD... And I can't place my hard-drive in a second machine with a clean OS.

    However, I found a way to prevent this behavior until I get a new machine. I developed a little program that would not let the computer deal with that kind of problems... If anyone is interested, I will post the code.

    I appreciate the time all of you took to try to help me... Thank you VERY much
    We miss you, friend... Rest in Peace, we will take care of the rest of it.

    [vbcode]
    On Error Me.Fault = False
    [/vbcode]
    - Silence is the human way to share ignorance
    Tec-Nico

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width