Radio Free Dexterdyne - Sasser port 445 UDP TCP workaround

links:
Norton
IPSec
Router Compromises
MicroSoft 835732 patch

Sasser and UDP TCP Port 445
We have monitored several unsuccessful Sasser (current version W32.Sasser.G) Worm attempts on our W2K thin server prototype and below are basic instructions for locking down port 445 on your machine - which goes a very long way to helping deflect the worm at this time. This is only a work around and requires that you are not as yet compromised and you will/have immediately applied MS patch 835732 from this link:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Please note that disabling port 445 may interfere with some types of DHCP ISP and LAN/WAN connections, so it is advisable to make note of the steps below in case you need to reverse this workaround. You will need a hardware firewall device to properly secure your workstation in this eventuality - but you will also need to review this alert before purchasing a unit:

http://securityresponse.symantec.com/avcenter/security/Content/10183.html

The Workaround
Confirm you are not infected using the start menu function 'run' to execute the command 'regedit'. Once your registry editor opens use Edit > Find and search for 'avserve3.exe' and then repeat using new terms 'skynetave.exe', 'avserve.exe', 'LSASSS.EXE', 'napatch.exe' and 'wserver.exe' across the complete registry file.

- Start>Run: regedit

- Edit>Find: avserve.exe

- Edit>Find: avserve2.exe

- Edit>Find: avserve3.exe

- Edit>Find: skynetave.exe

- Edit>Find: LSASSS.EXE

- Edit>Find: napatch.exe

- Edit>Find: wserver.exe

If found - update your anti-virus definitions immediately and run a complete sweep. You may then need to remove the machine from the network for professional service dependent upon your skill level regarding the registry file.

Having confirmed you are not yet infected - exit registry editor and return to your main screen. Right click on the 'My Computer' icon and choose 'properties'. Click on the 'Hardware' tab and open 'Device Manager'.

Once open, choose 'view' and select 'Show Hidden Devices'. Open 'Non-Plug and Play Drivers', right click 'NetBios over Tcpip' and select 'Properties'. Finally there - choose the 'disable' option under 'Device usage' menu, press OK and reboot as indicated.

- (RC)My Computer>properties;

- Hardware>Device Manager>View>Show Hidden Devices;

- Non-Plug and Play Drivers>NetBios over Tcpip>(RC)properties;

- Device Usage: Do not use this device (disable);

- Press OK and reboot as indicated:

You may also wish to disable netbios from your network icon properties menu and TCP/IP Helper Service from your services stack if a DHCP or netBios Service error appears in your system event log.

At this point you have shutdown netBios and TCP UDP port 445 completely and, as above, it may or may not impact your Internet connection and/or your home network configuration. Neither the worm nor the workaround above have impacted our thin server prototype, however as most customers and site regulars know - we have several 'special' routines built into Radio Free Dexterdyne in this regard.. :) ..

If you decide to pass this workaround out - we would greatly appreciate that you add a link to this page for feedback regarding effectiveness in other Windows 2000 workstation environments.

All the usual disclaimers - Cheers and best wishes.

home

Page Last Updated: Thursday, 26-Aug-2004 10:18:21 Atlantic Standard Time