avserve.exe? new virus?

I have ran across this all day here at work.
Customer calls unable to view webpages or download their email.

Looking in the task manager under processes, avserve.exe shows running.
ending task on this process seems to fix the problem with the connection.
Also deleting the file avserve.exe in the windows dir seems to work fine.

Anyone else run across this?

wrequed

 

Just found that this is a virus.
to get rid of it:

ctrl - alt - del, and end avserve.exe - If that is running then u have the virus.
then go to C:\Windows\ and delete the file called avserve.exe
then go to C:\Windows\System32 and delete any files that start with a number and end in _up.exe
eg. 132424_up.exe, 2344_up.exe, 30212_up.exe
Then do a searc of all Hdds for a file called cmd.ftp and delete any if found (make sure search hidden and system folders in on)
Do a windows update and make sure update number 835732 is there or already installed.

hope this helps

wrequed

 

It´s the w32.sasser.worm:

http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://vil.nai.com/vil/content/v_125007.htm
http://www.f-secure.com/v-descs/sasser.shtml

 

Has anyone seen the same type of errors but without the "avserve.exe" loaded up in processes?
I'm seeing this happening. Just curious.....

wrequed

 

If you're on an win2000/XP system first use this security patch
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
After start cleansing.

Other infection? Are you on XP?
All files and extensions showing, none hidden?
Would also advise to post a HijackThis log in the HJT forum here.

Part of the story:
""To propagate, it scans random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.

The resulting overflow allows the malware to listen to TCP port 9996, which instructs it to spawn a command shell. The malware then creates the script file CMD.FTP that contains instructions for the vulnerable system to download and execute a copy of this malware via FTP.

The infected host then opens TCP port 5554 to accept any FTP requests from infected remote systems. The worm copy to be downloaded bears the file name, <random integer>_up.exe (e.g., 12345_up.exe), and is saved in the Windows system directory.

After download, the malware deletes the file CMD.FTP. A log file named WIN.LOG is created in the root directory. This file contains the number of remote systems that the host system were able to infect. ""


You might like to locate the stuff on your system, see it in action, block it and locate the parts where it is for instance with Port Explorer (www.diamondcs.com.au/portexplorer -free demo version available) and to block the sending and kill the processes etc. Might help!