Solved

avserve.exe big problem - possible unknown virus

Posted on 2004-05-01
18
1,122 Views
Last Modified: 2010-04-11
Well before I rant I must say that I am an IT professional and my computer is protected with a licensed version of Norton 2004 - updated daily.

Today I found this executable called avserve.exe in the Windows folder - whenver it ran - my internet connection would not go. i.e. I would be connected but IE would give me an error saying it cannot open any pages.

Also in my task manager I found randon numeric exe's running e.g.. 3683_up.exe 21986_up.exe

Files like these would cause the same internet problems..

Anyone know what this virus is?
0
Comment
Question by:clinthammer
18 Comments
 

Author Comment

by:clinthammer
ID: 10966458
Note: am running Windows xp pro sp1
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 10966578
Hi!

Download HijackThis and install it in a folder of it's own - something like, C:\HijackThis or C:\Program Files\HJT - not
in a temp file or on your Desktop.
Close all browser windows, run it, and post a log file here.
Download it from:
http://www.spychecker.com/program/hijackthis.html
or
http://s89223352.onlinehome.us/mirror/hjt/
Good luck!
0
 

Author Comment

by:clinthammer
ID: 10966704
0
 

Author Comment

by:clinthammer
ID: 10966714
0
 

Author Comment

by:clinthammer
ID: 10966830
0
 
LVL 2

Expert Comment

by:LeftofCool
ID: 10968633
Let us know if you have anymore trouble. For now, I am going to give you a list of tools originally posted by Sirbounty with some minor modifications.

Check for Spyware/Adware:
  Spybot-S&D 1.3 rc4 -->  http://fileforum.betanews.com/detail.php3?fid=1043809773
  Ad-Aware 6 --> http://www.lavasoftusa.com
  HijackThis -->http://www.spychecker.com/program/hijackthis.html
  Web Shredder -->http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder

Check for Viruses with online scanners:
  Norton/Symantec --> http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
  Trend Micro --> http://housecall.antivirus.com/housecall/start_corp.asp
  Panda ActiveScan --> http://www.pandasoftware.com/activescan/
  McAfee Security --> http://us.mcafee.com/root/mfs/default.asp
  Individual File Scanner --> http://www.kaspersky.com/remoteviruschk.html

0
 

Expert Comment

by:paragkshah
ID: 10969051
Please read this

http://65.54.246.250/cgi-bin/linkrd?_lang=EN&lah=340cc3565d36479928130e9b8657736b&lat=1083444362&hm___action=http%3a%2f%2fvil%2enai%2ecom%2fvil%2fcontent%2fv_125007%2ehtm

This is the latest worm discovered on 4/30/04  and  mcfee has files which you can download from the following link and run on your computer and get rid of that worm as well as some other worms.

http://vil.nai.com/vil/stinger/

Now since you have Win XP, you have to take extra care which is described in that link.

All the best !!

PS
0
 

Author Comment

by:clinthammer
ID: 10970360
I fixed it myself - before mcafee and norton gave their fixes :) - that's what 2 hrs of work did. I will never reformat - i rather die than let a virus control my pc :)
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 3

Expert Comment

by:zapthedingbat
ID: 10978883
avserve.exe is a sasser variant
http://www.microsoft.com/security/incident/sasser.asp
http://www.f-secure.com/v-descs/sasser.shtml

i can see w'er in for a big one here experts :)
0
 

Expert Comment

by:Captain315
ID: 10982806
Well, I probably screwed everything up now but I hadn't read this before having the problem and attempting a fix.  I just went into the task manager and told it to end the process.  That allowed me to get the computer working like it should.  I then searched for the avserve.exe on the hard drives and deleted them.  My computer seems to work ok now but I'm concerned that I might have gone about it in the wrong way.  Did a SpyBot check and found 38 spywares.  It cleaned all of them except a "TSCASH".  Can't seem to get that one off the computer.  If I've made any major mistakes, please let me know.  Hope everyone has good luck on getting rid of this nasty little worm.
0
 

Author Comment

by:clinthammer
ID: 10983712
No you didn't screw anything up.

BUT

Ending avserve.exe will not fix the problem. The avserve.exe is also an entry in the registry. Even if you delete this avserve.exe file from hard drive and registry, it will come back unless you have the patch from Microsoft.

Also note that avserve.exe created random exe files such as 123_up.exe. Well all the exe files it creates has part of its name as "_up".exe

You need:
1. The patch from Microsoft
2. update your virus definition files.

What antivirus program do you employ on your computer?


Trust me deleting avserve.exe without the patch is fruitless. It will come back over and over (it did to me for 2 hrs) and bite you in the ass :(
0
 

Expert Comment

by:Captain315
ID: 10985335
I appreciate your reply Clinthammer.  I was using Symantec Norton Systemworks but it kept saying my hard drives were 90+% fragmented when they weren't.  I removed that and just went to AVG virus protection.  I will make sure the MS patch is installed just as soon as I get it back to the office and my internet connection.  Until then, I will do a search for "_up.exe" files.

How do you feel about the "SystemSuite" programs as a replacement for the Norton Systemworks?  I've read that it actually is a better program but being retired and always a day late and a dollar short, I'm concerned that it's just hype and might not work as well as what I have now.

Again, thanks for the information and I will act on it immediately.

Respectfully,
Tom McCormick
0
 

Author Comment

by:clinthammer
ID: 10985445
Well I trust norton - it wasnt their fault they didnt pick up the virus... None other sites - mcafee, avg, nod32, pandasoftwarew, pc cillin picked it up either...

It was just my luck (bad luck rather) that I got it before any AV site reported it. Two hours after my unsuccessful attempts, the virus was reported...
0
 

Author Comment

by:clinthammer
ID: 10985454
The virus copies itself to the Windows directory as avserve.exe and creates a registry run key to load itself at startup

 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
As the worm scans random ip addresses it listens on successive TCP ports starting at 1068.  It also acts as an FTP server on TCP port 5554, and creates a remote shell on TCP port 9996.

A file named win.log is created on the root of the C: drive.  This file contains the IP address of the localhost.

Copies of the worm are created in the Windows System directory as #_up.exe.

Examples

c:\WINDOWS\system32\11583_up.exe
c:\WINDOWS\system32\16913_up.exe
c:\WINDOWS\system32\29739_up.exe
A side-effect of the worm is for LSASS.EXE to crash, by default such system will reboot after the crash occurs.  The following Window may be displayed:

0
 
LVL 5

Accepted Solution

by:
Netminder earned 0 total points
ID: 11037822
User resolved; closed, 500 points refunded.

Netminder
Site Admin
0
 

Expert Comment

by:wat0114
ID: 11065858
If you apply the following three security measures to your computer, you should be ok:

1. Keep updated antivirus software on your computer with "Autoprotect" enabled.

2. Very frequently check for and apply critical updates to your O/S.

3. Use a software and/or hardware firewall.

This should be considered as a MINIMUM security measure against Hackers and viruses.
0
 

Expert Comment

by:CJPayne
ID: 11110623


The worm operates as described by clinthammer.  I have removed it from my PC using the instructions at:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

It deleted 84 files and 1 registry entry.

DO NOT FORGET TO TURN RESTORE BACK ON AGAIN AFTER FOLLOWING INSTRUCTIONS FOR XP.

Good Luck
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now