View Full Version : OT: Sasser worm making the rounds.

05-03-2004, 11:01 AM
Hope you have some fire wall software.

The Sasser worm is a PITA.

05-03-2004, 11:49 AM
The best bet these days is to buy a router if you are on a high speed connection. This insulates your computer from the net by the use of network address translation. Effectively, only the router is visible on the net. It will not help with viruses though.

05-03-2004, 11:55 AM
Thanks for that lead Dan. I'm pretty sure my home 'confuser' is infected.
My wife got a "...shutting down.." message right after connecting and downloading email this weekend. Was then unable to reestablish connection to normal ISP. So, thinking maybe I had a modem problem, I tried to install AOL. That process was able to connect, but then before completing the signup process, I again got a "...shutting down..., save your work..." message.

I just did a google search and found some recommended actions for purging and cleaning it up. Will try those.

05-03-2004, 12:08 PM

Yep, that's what it does...over and over and over.

It mentions lsass.exe and a return code.

You don't get it through email or surfing the internet. Something out there probes for an available port on your machine and nails your machine.

Zone Alarm has been blocking access to my home PC all weekend long. Now I'm guessing that activity was from this worm.

I really like Evan's idea for preventing access. Seems like almost a sure thing for preventing successful port probing.

Last year my maching kept getting probed by the same IP address. I checked ARIN (???) and it was someone using a machine registered to a Pacific rim company. Thank goodness Zone Alarm blocked it.

Evan, what router(s) do you recommend for home use? I don't have a static IP address. Will a router still work for me?

[This message has been edited by pgmrdan (edited 05-03-2004).]

Dr. Rob
05-03-2004, 01:14 PM
That ARIN thing... What is that, and how do you do it?

05-03-2004, 01:38 PM

Sure, you don't need a static IP. The router will request an IP when it is reset. If you leave the router on all the time it will hold on to the IP that has been assigned even if the computer is turned off. The DHCP server will ping the router from time to time and the router will respond so the DHCP server will leave the IP assigned. As for brands it really doesn't matter, D-Link, Link-Sys or whatever. Routers are cheap these days.

05-03-2004, 02:11 PM
Thanks Evan! I looked into this a few years ago and I thought at that time there was a static IP address required but I may have been misinformed or things may have changed. Good to hear I can get a router now. And yes, they are extremely cheap compared to the last time I looked into it.

Dr. Rob, at www.arin.net (http://www.arin.net) (IIRC) you can look up registered IP addresses to find out who owns them. You can also use a URL to find out the range of IP addresses registered to them. UNIX and similar OS's have the whois command. I think it goes to ARIN for the information it provides.

Actually, I may have used another site to look up that pacific rim dude. There's a site similar to ARIN that's used for other parts of the world.

When someone tries to probe for available ports on my machine Zone Alarm pops up a warning that includes the IP address of the intruder. You can go to ARIN with the IP address and find out who owns the IP address if they are registered with ARIN. The problem is there may be a range of IP addresses assigned to an ISP so you can't really narrow it down but you know who to contact if the problem persists.

Several times I've look up an IP address only to find out it's my ISP snooping on my activities. I enjoy turning them down. http://bbs.homeshopmachinist.net//smile.gif

Zone Alarm Pro will actually let you click on a field on the warning message and automatically give you the ARIN information in its own format.

[This message has been edited by pgmrdan (edited 05-03-2004).]

05-03-2004, 02:23 PM
I would like to recommend this book to anyone that really wants to secure their computer. Also, this website has a lot of good links to security related information. This is a subject that anyone who uses a computer and depends on it needs to know to some degree.


05-03-2004, 02:34 PM
Dan, nearly all the activity you are seeing is due to port scanning and pinging. A ping request is used to determine if there is a live computer at a particular address. Your ISP is pinging your computer to see if the IP should stay assigned. If you block ping requests and don't send or receive any data for an extended period of time you may find you connection has been dropped in which case you will have to renew (98) or "repair" (XP) the connection or restart the computer. Most people will never see this as most computers have some sort of spyware which will be phoning home on a regular basis. Even the freekin mouse driver for my Microsoft trackball tries to phone home every two weeks. If you have an HP computer or have installed any Kodak software you will have something called "Backweb" which may be used as a form of spyware. Even just Windows update if set to automatic will produce regular network traffic.

05-03-2004, 02:44 PM

(said in the voice of Dale Gribble from King of the Hill) Is that really true or is that just what they'd like you to believe? http://bbs.homeshopmachinist.net//smile.gif

Just joking.

I know you're right. I know my ISP is on the up-and-up when pinging my machine but I just make it a policy to say 'no' to all probe-like activity. I don't always remember if it's my ISP's IP or have the time to look up the IP so when in doubt I 'Just Say NO!'. http://bbs.homeshopmachinist.net//smile.gif

I haven't noticed any problems with saying no so I continue to do so. And if it's my ISP, all the better. Keep 'em guessing! http://bbs.homeshopmachinist.net//smile.gif

[This message has been edited by pgmrdan (edited 05-03-2004).]

05-03-2004, 02:49 PM
Here's a fun program. It will show you on a map exactly where anyone is on the internet. It's free from McAfee. You don't have to register when it says so, just hit the cancel button and it works anyway. Enter any internet domain name or IP address and it will trace it.


[This message has been edited by Evan (edited 05-03-2004).]

J Tiers
05-03-2004, 05:42 PM
I used to trace the stuff that ZA alerted me to when I had the free version. I had to close the alert boxes with that version.

With ZA Pro (and maybe the free one) I finally shut off notification. Sometimes I look at the log.

Point being, probably the IP address listed as the origination is false, "spoofed". If not spoofed, it may be an infected computer following zombie instructions to probe automatically and phone home results.

Either way, the poor sap who really is that IP address most likely has nothing to do with the originator of the probes. Of course a really stupid hacker might be really doing it from their own personal cable modem connection, but..........

05-03-2004, 05:53 PM
J tiers is right. Any hacker who isn't already in jail will "spoof" the ip address, do his hacking from a public terminal and or use a chain of open proxy servers.

05-03-2004, 07:03 PM
Come on. The majority of the 'hackers' are probably 12 to 15 years old. They're just fiddle farting around until they're old enough to drive and chase girls.

Do you guys think these 13 year old script kiddies are smart enough to do things right? They just download something off the internet, point it at someone, and shoot!

Of course, they're probably not going to do serious damage. But the serious damage isn't going to be directed at people like you and me. The serious damage will be directed at businesses.

I just need to protect myself from the script kiddies, for the most part.

05-03-2004, 07:07 PM

You need to read this. Things have changed, a lot.


05-03-2004, 07:20 PM
Sounds like the criminal world is creating spam using a similar technology that science is using with the SETI project. Only the PC owners don't realize they're providing CPU cycles to the underworld.


[This message has been edited by pgmrdan (edited 05-03-2004).]

05-04-2004, 01:37 AM
It is a huge problem. One thing I haven't seen yet is using images instead of text to send a spam message. If you use only an inline image in the e-mail there is no way to filter it since there is no text in the e-mail. This image has been optimized to only use 4K.


05-04-2004, 12:07 PM
I'll bet sales of routers, software and all other hardware firewalls take an REALLY big jump with the sasser worm.

It might cause some to begin to wonder about where worms like this really originate from http://bbs.homeshopmachinist.net//wink.gif

Too many dollars are involved in this crap.