Date: Tue, 04 May 2004 03:57:10 -0300
From: Dexter J <lamealameadingdongnospamlamelame.org>
Subject: OT- Heads Up - Sasser plug


Salutations: I worked through a Sasser attempt on my W2K thin server prototype last week and below are basic instructions for locking down port 445 on your machine. This is only a work around and requires that you are not as yet compromised and you will/have immediately applied MS patch 835732 from this link: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx Please note that disabling port 445 may interfere with some types of DHCP ISP and LAN/WAN connections, so it is advisable to make note of the steps below in case you need to reverse this workaround. You will need a hardware firewall device to properly secure your workstation in this eventuality - but you will also need to review this alert before purchasing a unit: http://securityresponse.symantec.com/avcenter/security/Content/10183.html SASSER and ports 445 (TCP UDP) A:) Confirm you are not infected using the start menu function 'run' to execute the command 'regedit'. Once your registry editor opens use Edit > Find and search for 'avserve2.exe' across the complete registry file. Start>Run: regedit Edit>Find: avserve2.exe If found - update your anti-virus definitions immediately and run a complete sweep. You may then need to remove the machine from the network for professional service dependent upon your skill level regarding the registry file. B:) Having confirmed you are not yet infected - exit registry editor and return to your main screen. Right click on the 'My Computer' icon and choose 'properties'. Click on the 'Hardware' tab and open 'Device Manager'. Once open, choose 'view' and select 'Show Hidden Devices'. Open 'Non-Plug and Play Drivers', right click 'NetBios over Tcpip' and select 'Properties'. Finally there - choose the 'disable' option under 'Device usage' menu, press OK and reboot as indicated. - (RC)My Computer>properties; - Hardware>Device Manager>View>Show Hidden Devices; - Non-Plug and Play Drivers>NetBios over Tcpip>(RC)properties; - Device Usage: Do not use this device (disable); - Press OK and reboot as indicated: You may also wish to disable netbios from your network icon properties menu and TCP/IP Helper Service from your services stack if a DHCP or netBios Service error appears in your system event log. At this point you have shutdown netBios and TCP UDP port 445 completely and, as above, it may or may not impact your Internet connection and/or your home network configuration. Neither the worm nor the workaround above have impacted my node here, however as many of the older regulars will remember I have several 'special' routines built into Radio Free Dexterdyne in this regard.. :) .. This is sort of a follow up to this post of 2003/08 http://groups.google.ca/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3F3886AE.E6BA42C4%40lamelamelame.org If you decide to pass this workaround out - I would greatly appreciate that you leave my sig tag below intact as feedback regarding effectiveness in other workstation environments would be appreciated. All the usual disclaimers - Cheers and best wishes. -- J Dexter - webmaster - http://www.dexterdyne.org/ all tunes - no cookies no subscription no weather no ads no news no phone in - RealAudio 8+ Required - all the Time Radio Free Dexterdyne Top Tune o'be-do-da-day Joe Cocker - Bird on a Wire http://www.dexterdyne.org/888/060.RAM

Return to Main Index

The content on this site may not be republished without permission. Copyright © 1988-2019 - The Saab Network - saabnet.com.
For usage guidelines, see the Saabnet.com Mission and Purpose Page.
[Contact | Site Map | Saabnet.com on Facebook | Saabnet.com on Twitter | Shop Amazon via TSN | Site Donations]