The virus copies itself to the Windows directory as avserve2.exe and creates a registry run key to load itself at startup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "avserve2.exe" = C:\WINDOWS\avserve2.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068. It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win2.log is created on the root of the C: drive. This file contains an IP address.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:\WINDOWS\system32\11583_up.exe
c:\WINDOWS\system32\16913_up.exe
c:\WINDOWS\system32\29739_up.exe
-

Manual Removal Instructions To remove this virus "by hand", follow these steps:

Reboot the system into Safe Mode

(hit the F8 key as soon as the Starting Windows text is displayed, choose Safe Mode.


Delete the file AVSERVE2.EXE from your WINDOWS directory
(typically c:\windows or c:\winnt)

Edit the registry

Delete the "avserve2" value from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Reboot the system into Default Mode

Registry Removal Editing:

Windows98/ME/NT/2000/XP


1. Click the START button, then RUN
2. Type REGEDIT and hit ENTER

http://vil.nai.com/vil/SystemHelpDocs/images/Regedit1.gif

3. Click the + signs next to the desired folder to expand the folder tree branch

http://vil.nai.com/vil/SystemHelpDocs/images/Regedit4.gif

4. Once the desired folder path is visible, double-click on the value name on the right side of the screen (Default in this case)

http://vil.nai.com/vil/SystemHelpDocs/images/Regedit5.gif

5. Enter the desired value and click OK
6. Exit the Registry Editor by clicking on the X in the upper right corner of the Window

7. reboot into normal user mode



Don't format...

Remove it, update Windows and her AV application DAT files...

then scan that sucker...

and do it again...

Unfortunately, John...the sasser bug doesn't appear to be the only thing she has. Besides that, the floppy I told her to create will do the same thing.....although I personally think it will be to no avail...

BTW: you been in the bathroom all this time??

Like your ass is any better!

Boomer jumped on me from behind

...seems to be a lot of 'ass' problems going around tonight...

IPlural, I don't have the worm(my system is totally up-to date)my sister Donna is the one with the huge problem(love them kids) When I phone her later, I will tell her to take her puter to a puter store and get it reformated. This thing is stopping every thing she tries to do and if it has a partner in crime going along with it........there's no chance in h... for a novice puter user to rid these things. Thanks for trying I will instruct Donna over the phone later and we will give it a go(your instructions) but as Gary said.....it most likely won't happen. This is a hard lesson for anyone who doesn't have that patch. All I can say is, UPDATE, UPDATE, UPDATE.......there, I feel better now! Thanks, you guys are the best

now that would be justice wouldn't it

carolelee, something you and everyone including your sister wants installed and running is a registry monitor. Anything that might make it past all other security measures will be caught out as it attempt to modify the registry this way. You can at least stop the final part of a system highjack this way.

I personally have run a number of these utilities but pretty much stick with two running active while using a third to keep my registry in order which I run at least 4 times a month and the fourth I run at least once a month.

Startup Orginizer ( MetaProducts ) runs upon boot up, if anything has modified or attempted to modify the registry and rebooted the system before SO could do anything about it. SO loads up and scans the registry before each item is loaded and upon seeing a change it *asks* you if you wish to allow the change or do you wish to remove it.

AdAware Pro ( Lavasoft ) The Pro version has an active ( seperate application ) Monitor for registry changes.

Spybot Search and Destroy ( freeware ) works well, though I do not run it on a regular basis because active updates can be a slight bother so I run it at least once a month.

SystemMechanic Pro 4.x ( Iolo ) I run this once a week or more to keep my registry compact and clean of trash which lends to a faster system.

The Registry is basically a Database file and as such needs to be re-indexed and compressed to optimized query operations. Bad pointers to missing or corrupt info will drag a Database to it's knees. Then same thing goes with the Windows Registry, when you click upon anything that references the Registry it takes the time to find the references needed and then it loads them. If it is stuck seeking out bogus info, broken links, missing data it will be wasting time and also be slowing down the system while doing this.

anyway...

some thoughts is all

I agree with all of you, as I run all things you mentioned lP. My sis's boyfriend removed their AdAware and Spybot S&D because he thought they were clashing with some downloads It was also just discovered my sis's 14 year old daughter ignores all the updates from Microsoft(she admitted it) So my hope is, my sister pays more attention to that computer and all who play on it She is now driving me nuts and wants me to help get her running again.........ha....good luck, this sucker has a good grip on her system and I'm no expert! What you said Jafo, I agree 100%, throw away the key and he should be made to pay for all the puters he damaged >

I like your thought on this little scum, another way is to hang him up by his short&curlies

What they should do, is make him work on Internet security at slave wages for the next 15 years. And during this time, if he isn''t productive, then we hurt him.

For anyone who thinks they have this or might think about getting one of these, go here http://www.microsoft.com/security/incident/sasser.asp run the scan in step #3(or download it because sasser will take your connection south). If you're not sure if you have the patch for the original, look in 'Add/Remove Programs' for Hotfix 835732. No one is quite sure what's in the newest variant or if, in fact, this idiot released it prior to getting jailed. Stay tuned...

Thanks KarmaGirl for your help, I will let my sister know(she bought her computer at Radio Shack and they did offer to clean it for her for a small fee) I did guide her through safe mode(via telephone) and it wouldn't change anything This worm and possible buddies have a good grip on her system, but I'm sure it will be eliminated.......thanks