W32.Nosferatu....

[elobscuro.livejournal.com]

Someone's finally gone and done it... they've made Sasser immortal! Poor luser called in (sounding like he'd just had a fifth of scotch and smoked a pack, then washed it down with some broken glass), and... in the past week or two, we've debugged and reformatted his hard drive, full reformats, mind you, the ones we get to leave for lunch, then come back to finish the call for, at least twice. Sasser is still on his system (not to mention Norton and all his drivers). I consult my immediate higher-up, who shows me the bad mamma-jammin' BIOS level debug script. After it's done, we literally have to remind BIOS that the hard drive is even frelling there. then I start his format. I'm with another customer when callback time rolls around, but another tech at our location gets the call, and, guess what! Sasser is STILL on his machine! lsass.exe errors and everything. I think I owe the other tech lunch now. Or my firstborn, depending on who calls this guy back tomorrow for round whatever with the Worm That Would Not Die.
So, basically... has anyone else encountered this? Are we all just smoking crack at TCWMNBN? Is his hard drive too frelled up to erase data? Do I just need to get more sleep?

Comments

[korenwolf.livejournal.com]

Ok so the disk has been nuked from orbit and formatted back to the platter. I'm guessing that it's being reinstalled at this point? Buggered install media or leaving the network plugged in during the install / patch cycle?

[dr-atheist.livejournal.com]

Does this Luser have a sharezone that the worm could be hiberneting in?
Also are you really obliterating the data ont he disk, or just formatting. You could try formatting, writing over the disk, then formatting again, then re-installing to make sure the data is gone not just hte filesystem.

[fnordx.livejournal.com]

It could be in the MBR, but I'm sure you already thought of that. Maybe it's still connected to the internet when the reinstall is going on and it's being nuked remotely each time? Yeah, I'm sure you've already thought of all of that already, but, eh?

[twitchfetish.livejournal.com]

make sure he's disconned from his network/broadband while reinstalling. download the patch before reinstall so that it's there without having to connect to the net for it.

Sasser and Blaster are both notorious for lurking on ISP proxy servers and places like that...

IV

[korenwolf.livejournal.com]

Last time I looked the time to compromise for a fresh unpatched windows box connected to the net was something like 10 minutes on average.

[twitchfetish.livejournal.com]

i reinstalled a friend's computer and had Blaster within 30 seconds of connection to broadband. seriously.

IV

[korenwolf.livejournal.com]

After nearly eight years riding herd on an ISP network nothing surprises me anymore.

[tsutton.livejournal.com]

Unplug the PC from network. Format, reinstall and then apply the patches before connecting it to the network/Internet

No, only CoolWebSearch is immortal.

[coyoteden.livejournal.com]

If his machine is not patched to WinXP SP2, there is a brief period of time, up to a full minute depending on how fast the system boots and what Antivirus software is installed, in which the Windows Firewall is not yet up. Under SP2 no incoming connections are allowed during this time, but pre-SP2 allows all incoming connections. If there's a sasser infected machine in his IP neighborhood, he could get hit that fast.

The only solution is to make sure the network cable is disconnected until the machine is finished booting unti you get SP2 on there.

[jacobine.livejournal.com]

We had a problem with blaster for a while where we would freshly build a machine and the first thing that would happen would it would get blaster. Before we even got to install the virus scan, which was usually one of the first things we put on. Just the act of going onto the network.... It made using our nework installs of Win2K a real pain in the ass.

Re: No, only CoolWebSearch is immortal.

[jecook]

::covers ears and screams::

We DO NOT mention that spyware's name!!!

Actually, It's more like Gator. I *still* find that on machines, even though the company has changed it's name at least once, and the fact that the program is ancient.

I've been extremely lucky at work; I've only run across a few machines that has those worms on them, and they were all systems with outdated A/V software. a quick patch (or 5) and the problem was gone.

At one point, Microsoft offered a free CD which contained all the security updates for 98 and 98se and possibly ME as well, but apparently too many people took advantages of a free CD. they don't offer it anymore ::sigh:: That was the second CD I stuck in the machien after re-loading it. (At least for 98. I also have XP SP2 on a CD as well)

[c0c0c0.livejournal.com]

Write zeros to the drive a few times.

Gateway makes a great little utility (the only thing good that came from that company) called gwscan.

http://pacomputing.org/downloads/gwscan.exe


If that doesn't work, a sledgehammer will.

[xdownfornowx.livejournal.com]

I remember gwscan. Best way to get a customer off the phone. gwscan is just an hdd diagnostic tool that can also write zeros. The extended test takes an hour, so its a great break from a whiny customer. To completely obliterate the mbr try this neato trick >>>> mbr be gone (http://www.linuxgazette.com/node/view/2834). Drive will need a complete format after that. I would recomend writing zeros first.

[siggy-lxvi.livejournal.com]

Yeah, I love GWscan, which was why I snapped up the Ultimate boot CD as soon as I saw that it had 2 versions of GWscan on it. 3.07 has some features that don't exist in 5.09, but 5.09 can support pretty much unlimited HDD size.