Menu

Search



Using Smart Update and Configuration Groups to Detect and Remove SASSER Worm

Pam
Smart Update (Configuration Groups, Organizational Groups)

The information in this article applies to the following products:

• Prism Deploy 5.0 and above

Summary:

The SASSER worm is infecting Windows 2000, XP and 2003 systems across the world. Microsoft has confirmed that SASSER and its variants exploit the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13, 2004, in Microsoft Security Bulletin MS04-011.

For more detailed information about this threat, please browse to these relevant links on Microsoft’s web site:

http://www.microsoft.com/security/incident/sasser.asp

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

You can use Prism Deploy’s Smart Update technology to determine if systems are infected and if they are patched against SASSER. If you have infected and/or unpatched systems, you can use Command Tasks to patch them and to remove SASSER using free tools provided by the antivirus vendors.

Method:

In your Prism Deploy Channel, create user-defined Configuration Groups to detect systems that are patched/unpatched and infected/not infected against SASSER and its variants. In our example, the Configuration Group rulesets are configured to look for the presence or absence of the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732\Filelist. The presence of this key indicates that an XP system has been patched. The ruleset also checks for variants of the worm’s executable files (avserve.exe, avserve2.exe or skynetave.exe). Here’s the syntax of the ruleset for unpatched, uninfected Windows XP systems:

(OSVersion = OS.Version.WinXP) AND (NOT EXISTS "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB835732\Filelist") AND (NOT EXISTS "%windir%\avserve.exe") AND (NOT EXISTS "%windir%\avserve2.exe") AND (NOT EXISTS "%windir%\skynetave.exe")

You can download New Boundary’s Sasser rulesets here: SasserRulesets

Next, create and assign Tasks to perform the remediation and patching process on infected systems:

  1. On Windows XP systems, first turn off System Restore.* This can be done with a Prism Package that first checks if the target system is running Windows XP. The Package has a reboot property set; you can choose to make the reboot silent or not. You can download New Boundary’s Packages here: SystemRestorePackages
  2. Run the cleanup utility from your antivirus vendor as a Command Task. Our example uses a free cleanup tool released by Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
  3. Turn System Restore back on by assigning a Prism Package to the “not infected” groups. The package is configured to first check that System Restore is off and that the target PC is running Windows XP. It also has a silent reboot property set. Note: If you would like a copy of our packages for System Restore off and on, please contact support@newboundary.com.
  4. Create a Command Task to install the KB835732 patch.

Assign the Tasks to the appropriate Configuration Groups (patching first then remediating). Your target computers will automatically move themselves into and out of Configuration Groups as their status changes, and they will receive the appropriate Tasks for their current status.

Below is a screenshot of a sample Channel.

* Here’s a link discussing System Restore and why it must be turned off before remediation of SASSER: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam

Please contact New Boundary Technical Support if you’d like further assistance: 612-379-1851.


Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide your comments to help us improve this article...

Thank you for your feedback!

Add Your Comments
Name:
Email Address:
RadEditor - HTML WYSIWYG Editor. MS Word-like content editing experience thanks to a rich set of formatting tools, dropdowns, dialogs, system modules and built-in spell-check.
RadEditor's components - toolbar, content area, modes and modules
   
Toolbar's wrapper  
Content area wrapper
RadEditor's bottom area: Design, Html and Preview modes, Statistics module and resize handle.
It contains RadEditor's Modes/views (HTML, Design and Preview), Statistics and Resizer
Editor Mode buttonsStatistics moduleEditor resizer
 
 
RadEditor's Modules - special tools used to provide extra information such as Tag Inspector, Real Time HTML Viewer, Tag Properties and other.
   
Verification Code:
Details
Last Modified: 19 Years Ago
Last Modified By: Pam
Type: HOWTO
Article not rated yet.
Article has been viewed 4.6K times.
Options
Customer Support Software By InstantKB 2015-2
Execution: 0.000. 15 queries. Compression Disabled.