Link to home
Start Free TrialLog in
Avatar of clinthammer
clinthammer

asked on

avserve.exe big problem - possible unknown virus

Well before I rant I must say that I am an IT professional and my computer is protected with a licensed version of Norton 2004 - updated daily.

Today I found this executable called avserve.exe in the Windows folder - whenver it ran - my internet connection would not go. i.e. I would be connected but IE would give me an error saying it cannot open any pages.

Also in my task manager I found randon numeric exe's running e.g.. 3683_up.exe 21986_up.exe

Files like these would cause the same internet problems..

Anyone know what this virus is?
Avatar of clinthammer
clinthammer

ASKER

Note: am running Windows xp pro sp1
Hi!

Download HijackThis and install it in a folder of it's own - something like, C:\HijackThis or C:\Program Files\HJT - not
in a temp file or on your Desktop.
Close all browser windows, run it, and post a log file here.
Download it from:
http://www.spychecker.com/program/hijackthis.html
or
http://s89223352.onlinehome.us/mirror/hjt/
Good luck!
Let us know if you have anymore trouble. For now, I am going to give you a list of tools originally posted by Sirbounty with some minor modifications.

Check for Spyware/Adware:
  Spybot-S&D 1.3 rc4 -->  http://fileforum.betanews.com/detail.php3?fid=1043809773
  Ad-Aware 6 --> http://www.lavasoftusa.com
  HijackThis -->http://www.spychecker.com/program/hijackthis.html
  Web Shredder -->http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

Check for Viruses with online scanners:
  Norton/Symantec --> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
  Trend Micro --> http://housecall.antivirus.com/housecall/start_corp.asp
  Panda ActiveScan --> http://www.pandasoftware.com/activescan/
  McAfee Security --> http://us.mcafee.com/root/mfs/default.asp
  Individual File Scanner --> http://www.kaspersky.com/remoteviruschk.html

Please read this

http://65.54.246.250/cgi-bin/linkrd?_lang=EN&lah=340cc3565d36479928130e9b8657736b&lat=1083444362&hm___action=http%3a%2f%2fvil%2enai%2ecom%2fvil%2fcontent%2fv_125007%2ehtm

This is the latest worm discovered on 4/30/04  and  mcfee has files which you can download from the following link and run on your computer and get rid of that worm as well as some other worms.

http://vil.nai.com/vil/stinger/

Now since you have Win XP, you have to take extra care which is described in that link.

All the best !!

PS
I fixed it myself - before mcafee and norton gave their fixes :) - that's what 2 hrs of work did. I will never reformat - i rather die than let a virus control my pc :)
avserve.exe is a sasser variant
http://www.microsoft.com/security/incident/sasser.asp
http://www.f-secure.com/v-descs/sasser.shtml

i can see w'er in for a big one here experts :)
Well, I probably screwed everything up now but I hadn't read this before having the problem and attempting a fix.  I just went into the task manager and told it to end the process.  That allowed me to get the computer working like it should.  I then searched for the avserve.exe on the hard drives and deleted them.  My computer seems to work ok now but I'm concerned that I might have gone about it in the wrong way.  Did a SpyBot check and found 38 spywares.  It cleaned all of them except a "TSCASH".  Can't seem to get that one off the computer.  If I've made any major mistakes, please let me know.  Hope everyone has good luck on getting rid of this nasty little worm.
No you didn't screw anything up.

BUT

Ending avserve.exe will not fix the problem. The avserve.exe is also an entry in the registry. Even if you delete this avserve.exe file from hard drive and registry, it will come back unless you have the patch from Microsoft.

Also note that avserve.exe created random exe files such as 123_up.exe. Well all the exe files it creates has part of its name as "_up".exe

You need:
1. The patch from Microsoft
2. update your virus definition files.

What antivirus program do you employ on your computer?


Trust me deleting avserve.exe without the patch is fruitless. It will come back over and over (it did to me for 2 hrs) and bite you in the ass :(
I appreciate your reply Clinthammer.  I was using Symantec Norton Systemworks but it kept saying my hard drives were 90+% fragmented when they weren't.  I removed that and just went to AVG virus protection.  I will make sure the MS patch is installed just as soon as I get it back to the office and my internet connection.  Until then, I will do a search for "_up.exe" files.

How do you feel about the "SystemSuite" programs as a replacement for the Norton Systemworks?  I've read that it actually is a better program but being retired and always a day late and a dollar short, I'm concerned that it's just hype and might not work as well as what I have now.

Again, thanks for the information and I will act on it immediately.

Respectfully,
Tom McCormick
Well I trust norton - it wasnt their fault they didnt pick up the virus... None other sites - mcafee, avg, nod32, pandasoftwarew, pc cillin picked it up either...

It was just my luck (bad luck rather) that I got it before any AV site reported it. Two hours after my unsuccessful attempts, the virus was reported...
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win.log is created on the root of the C: drive.  This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:\WINDOWS\system32\11583_up.exe
c:\WINDOWS\system32\16913_up.exe
c:\WINDOWS\system32\29739_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.  The following Window may be displayed:

ASKER CERTIFIED SOLUTION
Avatar of Netminder
Netminder

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you apply the following three security measures to your computer, you should be ok:

1. Keep updated antivirus software on your computer with "Autoprotect" enabled.

2. Very frequently check for and apply critical updates to your O/S.

3. Use a software and/or hardware firewall.

This should be considered as a MINIMUM security measure against Hackers and viruses.


The worm operates as described by clinthammer.  I have removed it from my PC using the instructions at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

It deleted 84 files and 1 registry entry.

DO NOT FORGET TO TURN RESTORE BACK ON AGAIN AFTER FOLLOWING INSTRUCTIONS FOR XP.

Good Luck