What is the Sasser worm? and How To Fix it?

The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.

The patch from Microsoft known as the MS04-011 Security Update fixes the following vulnerabilities:
LSASS Vulnerability
LDAP Vulnerability
PCT Vulnerability
Winlogon Vulnerability
Metafile Vulnerability
Help and Support Center Vulnerability
Utility Manager Vulnerability
Windows Management Vulnerability
Local Descriptor Table Vulnerability
H.323 Vulnerability
Virtual DOS Machine Vulnerability
Negotiate SSP Vulnerability
SSL Vulnerability
ASN.1 “Double-Free” Vulnerability


What are the Symptoms of the Sasser worm?
You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will state that the system process lsass.exe terminated unexpectedly.

The message may be prefaced by another message:

You can disable this shutdown by following the steps below during the countdown

1. Click on Start, Run
2. Type in CMD and press ENTER
3. Type in the following command and press EnterSHUTDOWN -A
This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.

How Does Sasser Infect My Computer?
When W32.Sasser.Worm runs, it does the following:

1) Attempts to create a mutex named Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.

2) Copies itself as to the %Windir% directory. This is usually the C:\WINDOWS or C:\WINNT directory.

3) Adds the value:"avserve.exe"="%Windir%\avserve.exe""avserve2.exe"="%Windir%\avserve2.exe""skynetave.exe"= "%Windows%\skynetave.exe"to the following registry key, so that the worm runs on Windows startup.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4) Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.

5) Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.

6) Iterates through all the host IP addresses, looking for addresses without any of the following:
127.0.0.1
10.x.x.x
172.16.x.x - 172.31.x.x (inclusive)
192.168.x.x
169.254.x.x

7) Using one of these IP addresses, the worm then generates a random IP address. 52% of the time, the IP address is completely random. 23% of the time, the last three octets are changed to random numbers. 25% of the time, the last two octets are changed to random numbers.
Because the worm can create completely random addresses, any IP range can be infected. This process is made up of 128 threads, which demands a lot of CPU time. As a result, an infected computer may become so slow and barely usable.

8) Connects to the randomly generated IP address on TCP port 445 to determine if a remote computer is online.

9) If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.

10) Uses the shell on the remote computer to connect back to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.

11) The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in 1 minute.

12) Creates a file at C:\win.log that contains the IP address of the computer that the worm most recently attempted to infect, as well as the number of infected computers.
How Can I Remove the Sasser worm?

Follow these steps in removing the Sasser worm.
1) Disconnect your computer from the local area network or Internet
2) Terminate the running program
Open the Windows Task Manager by either pressing CTRL+ALT+DEL, selecting the Processes tab or selecting Task Manager and then the process tab on WinNT/2000/XP machines.
Locate one of the following programs (depending on variation), click on it and End Task or End Process
avserve.exeavserve2.exeskynetave.exeany process running with the "_up.exe" suffix
Close Task Manager
3) Activate the Windows XP Firewall (if running Windows XP) or another firewall to prevent the worm from shutting your system down while downloading the patches.

To activate the Windows XP firewall, follow these steps.
1. Click on Start, Control Panel
2. Double-click on Networking and Internet Connections, then click on Network Connnections
3. Right-click on the connection you use to access the Internet and choose Properties
Click on the Advanced Tab and check the box"Protect my computer and network by limiting or preventing access to this computer from the Internet"
4. Click OK and close out of the Network and Control Panel

Remove the Registry entries

1. Click on Start, Run, Regedit
2. In the left panel go to
HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run
3. In the right panel, right-click and delete the following entry
"avserve.exe"="%Windir%\avserve.exe""avserve2.exe"="%Windir%\avserve2.exe""skynetave.exe"= "%Windows%\skynetave.exe"
Close the Registry Editor

4) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
5) Click Start, point to Find or Search, and then click Files or Folders.
Make sure that "Look in" is set to (C:\WINDOWS).
In the "Named" or "Search for..." box, type, or copy and paste, the file names:avserve.exeavserve2.exeskynetave.exeC:\win2.log
6) Click Find Now or Search Now.
7) Delete the displayed files & Empty the Recycle bin

Repair or Reinstall Internet Explorer6 and Outlook Express 6

According to Microsoft, if you are having trouble with either Internet Explorer 6 or Outlook Express 6 because of damaged files or missing registration information (XP registration trouble, not your name and address) you will need to either reinstall or repair the affected installation. I'm going to go over two ways that Microsoft suggests for dealing with IE6 and OE6 problems. Read over the entire article before making a decision about which method to use. At the end of Method II I've mentioned what I'd consider the best solution to this problem.

Method I
One likely cause of IE6 and OE6 not functioning properly is a corrupted file. Microsoft says this is the "most" likely cause, but I think that's wishful thinking. To run a check on the files and see if one or more is corrupted use the System File Checker that is included with Windows XP.

Click [Start] [Run] and type sfc /scannow in the [Open] box.(Note that there is a space between sfc and /scannow)

In all likelihood you will be prompted to insert the Windows XP CD ROM. If you don't have it available there is no point in continuing unless you have the files available on your hard drive and have changed the location of the XP installation files in the registry. If you do have the files copied to the hard drive, the default install location may be modified using the registry edit shown below.

[Start] [Run] [Regedit]

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SetupModify/Create the Value Data Type(s) and Value Name(s) as detailed below.

Data Type: REG_SZ (String Value) // Value Name: SourcePath

Setting for Value Data: [Set using the path to the installation files, i.e. G:\WXPCCP_EN]Exit Registry and Reboot

Running System File Checker is not a fast process. The machine I use for the majority of my everyday work is only a P-III 866 with 784MB RAM and a 20GB/5400 RPM C drive and it took between 7-8 minutes running off the hard drive. Expect much longer times if you run from the CD. Once the System File Checker has finished, reboot and test to see if the problem has been resolved. If the problem still exists you have three choices.

- In-place upgrade of Windows XP
- Repair Windows XP
- Reinstall Windows XP

Since I'm 100% against upgrade installations of XP I won't recommend that option. A repair of Windows XP may solve the problem, but the fact the problem arose in the first place makes me suspect of the current installations overall integrity. I suggest a complete reinstall of XP after backing up all data files. However, before you select any of the above choices, look at Method II below.


Method II

The second method to try and correct the problem involves editing the registry and reinstalling Internet Explorer 6. The standard cautions apply whenever you are editing the registry

If you are having problems only with Internet Explorer 6, proceed as follows:

[Start] [Run] [Regedit]

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}

Modify/Create the Value Data Type(s) and Value Name(s) as detailed below.

Data Type: DWORD // Value Name: IsInstalled

Setting for Value Data: [Change the Value from 1 to 0]

Exit Registry

If you are having problems only with Outlook Express 6, proceed as follows:

[Start] [Run] [Regedit]

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}Modify/

Create the Value Data Type(s) and Value Name(s) as detailed below.

Data Type: DWORD // Value Name: IsInstalled

Setting for Value Data: [Change the Value from 1 to 0]

Exit Registry

If you are having problems with both Internet Explorer 6 and Outlook Express 6, proceed as follows:

Change the values in both of the registry keys as outlined above.

Exit Registry

Once you have made the appropriate registry changes use the link below to download and install Internet Explorer 6. The Internet Explorer 6 download includes Outlook Express 6. Reboot and test for proper operation

How To Create a Bootable USB Flash Drive

Create Bootable USB Flash Drive
Requirements:

- A computer with a BIOS that allows for booting from a USB port.

- A Bootable floppy disk or CD.
I used a Windows 98 bootable CD. For those who have Dell systems, you can also use the bootable Windows XP CD that is used to reinstall your system with Windows XP.
- Utilities with the ability to create a master boot record, create partitions, set active partitions, and format and transfer boot files to the active partition
- Of course, the USB drive that you want to make bootable
I used a 256MB SanDisk Cruzer Mini USB Flash Drive.

Directions

1. Make the USB drive the first in the drive sequence.

Why?? fdisk does not allow for a partition to be set as ACTIVE (bootable) unless it is the first drive. It is most likely that your hard drive(s) is set as the first drive. This needs to be changed.

How?? Setting your USB drive to be the first in the drive sequence can be done by following ONE of the methods below. No matter which method you follow, the computer MUST be booted with the USB drive plugged in into the computer. Take a note of how the options that you are about to change were set before, as they will need to be changed back later.

Method # 1. BIOS drive sequence option.
Depending on your BIOS, there may be an option to change the drive sequence. On mine, there was an option labeled "Hard-Disk Drive Sequence". If your BIOS has this or a similar option, make sure you change the sequence so that the USB Drive is listed first.

Method # 2. Disabling other hard drives.
Again, this is done from the BIOS. Different BIOS's may have different options to disable the hard drive. On mine, the system had just one hard drive. I changed the option labeled "Primary Drive 0" to "OFF".

Method # 3. Unplugging the hard drives.
If your BIOS doesn't have an option to change the drive sequence or to turn off the hard drive, you can turn off your computer and unplug your hard drive(s). Make sure you know what you are doing here. Opening your computer case may result in voiding your computer warranty if you have one.

2. Boot the computer from the boot floppy/CD into the command prompt with the USB Drive plugged in.

3. Run fdisk

4. Use fdisk's "Set Active Partition" (option 2) to set the primary partition on the USB Drive to ACTIVE.
This step assumes that a primary partition already exists on the USB Drive. If this is not the case, use fdisk to create one. As noted in step # 1, fdisk will not allow for setting the the partition to ACTIVE unless the drive the partition is on is the FIRST in the drive sequence.

5. Exit fdisk.

6. Reboot the computer from boot floppy/CD into the command prompt with the USB Drive plugged in.

7. At the command prompt enter the following command: dir c:
This step is just to verify that the C: drive is actually the primary partition on the USB Drive. Regardless of the result that the command generates whether it be a listing of files or an error message, what is important here is to make sure that the size of the primary partition on the USB Drive is roughly equal to the sum of the empty space and the used space.

8. Format and copy the boot files to the primary partition.
At the command prompt, from the directory where FORMAT.COM is located, enter: format /s c:
9. Run fdisk /mbr
"fdisk /mbr" writes the master boot record, in this case to the USB drive, without altering the partition table information.

10. Restart the computer and choose booting from the USB Drive. If all goes well, you should see a C:> command prompt.

11. Change the computer settings back to what they were before step # 1.

I had a few people e-mail me with an error message "No fixed disks present..." which they encountered when they ran fdisk.. Personally, I did not run into this issue or know what is causing it on other people's machines.

Error Message When You Run ScanDisk or Fdisk: No Fixed Disks Present

SYMPTOMS

When you attempt to run the MS-DOS command-line utility fdisk.exe, or when you run ScanDisk from within Windows, you may receive an error message similar to the following:

No fixed disks present. NOTE: This error message may occur intermittently, and you may receive this error message even though your computer's hard disk is detected in the computer Power On Self Test (POST).

CAUSE: This behavior can occur because of any of the following hardware issues:

• The hard disk is defective or too hot.
• The jumper settings on the hard disk are incorrectly configured.
• The hard disk data cable is defective or too long.
• The hard disk controller is defective or incorrectly configured in the computer BIOS.

How to Easily Copy an Excel formula without changing its cell references

If you copy a formula from one place to another, Excel will want to readjust the references to reflect the change. However, if you want the formulas to stay the same, Mary Ann Richardson can help end the confusion.

When working with a spreadsheet, when you copy a formula to another location, Excel automatically adjusts the cell references in that formula to the new location. If you do not want to have Excel adjust the cell references, you would have to make them absolute before copying them. Or, you could copy the formula to the clipboard as text before pasting it to its new location.

Follow these steps:
1. Click on the cell containing the formula you want to copy.
2. Press [F2].
3 Click and drag to select the entire formula.
4. Click the Copy button in the Standard toolbar.
5. Press [Enter].
6. Select the cell into which you want to paste the formula.
7. Click the Paste button in the Standard toolbar.

When you copy an Excel formula in this manner, the formula copies as text and will not adjust its cell reference. You can also copy part of a formula this way. For example, you may want to include the formula as part of an If statement in another part of the worksheet.

SImple Method to Protect Yourself Against Viruses

Follow these simple steps to keep yourself and your computer virus free.

Purchase and/or Download an Anti-Virus program to spot virusesAnti-virus software is a must for any computer connected to the Internet or otherwise. Viruses travel by many means and the first thing you should do is install software to catch the viruses.
or download free antivirus program
Update your current Anti-Virus softwareProtection against viruses is only as good as your last update.

Scan for Viruses regularlyIts a good idea to scan your system on a regular basis to avoid infection. Most anti-virus software scans files as you open them, but its a good idea to run a full scan of your system on a weekly basis.

If you do not have an antivirus software product installed on your computer, try using one of the various online virus scanners to scan your system and remove any problems.
Watch out for Email AttachmentsViruses attached to email are currently the most common and widespread computer viruses. Although some viruses can attack just by opening email, most won't activate until you open the attachment.

Disable System Restore features in Windows ME or Windows XP, so that the viruses can be removed properly in.

Use a Firewall to Protect Your Computer from Intruders
The best defense against someone invading your computer is a personal firewall.

How to login as Administrator in Windows XP?

How many of us ever realized that the Administrator account is one of the best way to get back your computer in shape.This built-in Administrator account is hidden from Welcome Screen when a user account with Administrator privileges exists and enabled.
This Administrator account is mainly for the purpose to have a look on what is inside the computer. Normally, in a troubleshoting process it is very useful, for example in a case where you can't launch any kind of application if you are login with your account.

In Windows XP Home Edition, you can login as built-in Administrator in Safe Mode only. For XP Professional, press CTRL + ALT + DEL twice at the Welcome Screen and input your Administrator password in the classic logon window that appears.

Secret Recipe you can use to recover from Spyware ATTACK!!! - PartONE - Browser Hijack

At this moment I would like to highlight on topic of spyware, since the damaged that has been created by this kind of evil things has become more serious among us. Listed below are some of the devices that I've found it succesfully working proven;-

These are:
1. Trend Micro CWShredder ;- this tool is most likely focus on removing the CoolWebSearch symptom, or we called it as CWS. CWS will normally attack your browser and can causing you to redirect to any other malicious website. The many variants of "CoolWebSearch installs dozens of bookmarks mostly to porn Web sites on your desktop, changes your home page without asking, and continually changes it back if you attempt to correct it. Furthermore, it significantly slows down the performance of your PC, and introduces modifications which cause Microsoft Windows to freeze, crash or randomly reboot". They also normally escape most Anti-Spyware products. However, most known variants of CoolWebsearch can be detected and cleaned by CWShredder.

2. HijackThis is a tool, that lists all installed browser add-on, buttons, startup items and allows you to inspect, and optionally remove selected items. The program can create a backup of your original settings and also ignore selected items. Additional features include a simple list of all startup items, default start page, online updates and more. This prpogram however Intended for advanced users.

3. Spybot Search and Destroy can detect and remove spyware of different kinds from your computer. Spybot search and destroy can also clean usage tracks, an interesting function if you share your computer with other users and don't want them to see what you worked on. And for professional users, it allows to fix some registry inconsistencies and extended reports. This wonderful program has many features, and is great at keeping spyware out of the systems.

4. Ad-Aware SE is a multi-trackware detection and removal utility that will comprehensively scan your system's memory, registry, hard, removable and optical drives for known Malware. The most important, no matter what version of Windows you are using, it still can works!

Nice Tips for Microsoft Word 2003 Office - Part 2

Working with text and paragraphs cont.

Ctrl+Equal Sign Subscript the selected text
Ctrl+Shift+Plus Sign Superscript the selected text
Ctrl+Shift+Q Apply Symbol font to the selected text
Ctrl+Shift+F Change the selected text's font
Ctrl+Shift+P Change the selected text's font size
Ctrl+Shift+> Increase the selected text's font size by one point
Ctrl+Shift+< Decrease the selected text's font size by one point
Ctrl+] Increase the selected text's font size by one point
Ctrl+[ Decrease the selected text's font size by one point
Shift+Enter Insert a line break
Ctrl+Enter Insert a page break
Ctrl+Shift+Enter Insert a section break
Alt+Ctrl+Minus Sign Insert an em dash
Ctrl+Minus Sign Insert an en dash
Ctrl+Hyphen Insert an optional hyphen
Ctrl+Shift+Hyphen Insert a nonbreaking hyphen
Ctrl+Shift+spacebar Insert a nonbreaking space
Alt+Ctrl+C Insert the copyright symbol
Alt+Ctrl+R Insert the registered trademark symbol
Alt+Ctrl+Period Insert and ellipsis

What have to do if WinXP won’t boot?

When your computer hardware appears to power up okay, but the Windows XP operating system won't boot properly, you have to begin a troubleshooting expedition that includes getting into the operating system, determining the problem, and then fixing it. To help you get started on this expedition, here are few things you can do when Windows XP won't boot.

1. Bypassing Windows with the Recovery Console
When a Windows XP boot problem is severe, you'll need to use a more drastic approach. The Windows XP CD is bootable and will provide you with access to a tool called Recovery Console.
Solving Startup Problems with the Recovery Console

- Use a recovery console
- fix a corrupt boot.ini
- fix a corrupt master boot record
- disable auto restart
- restore from a backup

NOTE The Recovery Console can be a powerful tool for finding and fixing certain types of startup problems, but if you don’t know exactly what you’re doing, it can also allow you to create new problems that will complicate the ones that are already on your computer or even completely trash Windows’ ability to start. Therefore, it’s best to use the Recovery Console only when you have detailed instructions for performing a specific task from a reliable source such as the Microsoft Knowledge. The best way to load and use the Recovery Console is to run it directly from the Windows XP CD. To do so, follow these steps:

1. Place the Windows XP CD into the drive.
2. Restart the computer from the CD.
3. At the Welcome to Setup screen, press the R key. The Recovery Console starts and shows a list of Windows installations on your computer. In most cases, there will be just one item in the list.
4. Enter the number of the version you want to use, and press the ENTER key. The Recovery Console will ask for the administrator password.
5. Type the same password you would normally use to log into Windows as an administrator, and press ENTER. If there is no administrator password, just press the ENTER key. When the Recovery Console accepts the password, it will display a C:\WINDOWS> prompt. To close the Recovery Console, type Exit at the C:\ prompt.

2. Perform in Place Upgrade
If you can't repair a Windows XP system that won't boot and you don't have a recent backup, you can perform an in-place upgrade. Doing so reinstalls the operating system into the same folder, just as if you were upgrading from one version of Windows to another. An in-place upgrade will usually solve most, if not all, Windows boot problems.

Windows Registry Editor: REGEDIT

The registry contains many many Windows settings (and changes continuously), which can be viewed with the Registry Editor. Because many pages on this site (and other websites) contain registry tweaks, you need the Registry Editor to apply those registry tweaks. The Registry Editor is started with the command REGEDIT (Start, Run..., create a shortcut if you use Registry Editor frequently). Welcome in the world of the registry entries!
Most important to remember using the Registry Editor: there is NO WAY back. If you change something, it is permanent unless you have made a (partly) registry backup (File, Export). Worst case scenario: your Windows doesn't boot anymore! However, this is not a reason to leave the Registry Editor for what it is, frightened to do something wrong. If you carefully follow the instructions and ensure yourself you are making the right changes, nothing will go wrong. Before you make permanent major changes, it's wise first to make a system backup, to repair any damage.

Making changes to the registry
As shown below, the registry (Start, Run, REGEDIT) contains 5 basic keys: HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS and HKEY_CURRENT_CONFIG. Most suggested registry tweaks will be suggested for the HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE keys. The first key contains settings for the current user account while the second key contains settings for the Windows system.

Tweaks for the HKEY_CURRENT_USER keys can be safely tested by creating an extra user account (Control Panel, User accounts). Within the new test user account you can test those tweaks and remove the user account afterwards. Before you make essential changes to the registry, you can export the keys first to a *.REG file by File, Export within the Registry Editor. Later you can import those registry files by File, Import or by double clicking on them in the Windows Explorer. This way it's easy to export registry settings from one computer to the other.