Sasser and Netsky worms are being spread by a very dangerous piece of email-spam. Beware of subjects that tell you something like "The most astonishing photo of you", or "Your friends have sent you thousands of balloons for your birthday". These emails have worms in them. If you didn't know, Sasser worm is about 20 MB big and it can destroy your whole hard disk very quickly. It also infects network shares, so if your computers in a local network are vulnerable, the infection can spread very fast.
The Sasser and Netsky Worms have two things in common. One is that they are both prolific computer worms, and the second is that Sven Jaschan wrote them.
It can be terrible if you happen to be a victim of these worms, but worry not because there are several solutions for you. Luckily, those solutions will be discussed in this article, along with further details about how the Sasser and NetSky Worms work.
Understanding How the Sasser and Netsky Worms Work?
The Netsky worm was first discovered in 2004. Its "B" variant is the first of its kind to be mass distributed. What makes it famous is its comment within its code that insults the Mydoom and Bagle worm's author.
On the other hand, the Sasser worm infects computers running on Windows 2000 and Windows XP. It is spread by exploiting a buffer overrun in the LSASS component of the affected systems. It scans different IPs and connects to the users' computers via TCP port 445. However, according to Microsoft's analyst, it can also spread via port 139.
Methods on How to Get Rid of the Sasser Worm?
Follow these steps on how to remove the Sasser worm successfully:
- Disconnect your computer from the internet or LAN.
- Exit certain running programs by opening the Windows Task Manager and click on End Task or End Process after locating programs with a name such as skynetave.exe, avserve2.exe, and avserve.exe.
- Activate the Windows XP Firewall.
- Download the latest LSASS vulnerability patches and install it.
- Clear the registry entries by going to the Start menu, then Run type in Regedit. Go to HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>Current Version>Run.
- Delete the entries below, then close the registry entry then delete the compromised files.
* "avserve.exe"="%Windir%avserve.exe"
* "avserve2.exe"="%Windir%avserve2.exe"
* "skynetave.exe"= "%Windows%skynetave.exe"
- Reboot your computer and update your antivirus software of choice. Once done, run it and scan to check whether the worm is still in your computer.
Methods on How to Get Rid of the Netsky Worm?
Once you have downloaded a file that contains the Netsky worm, ordinary means of deletion will not be enough. You will need to manually delete, which can be a little tricky but not totally impossible to do. Here are the steps for that:
- Open your Windows taskbar and click on Task Manager. You could also simultaneously press CTRL, ALT, and DEL keys to achieve the same result.
- Look for Worm.Win32.Netsky on the process tab, then right-click on it and click on End Process. You may also highlight the particular entry and click on the End Process button.
- The next step is to remove the worm from the system registry to prevent it from reappearing. To do this, click on the Windows icon and select Run. Type in Regedit, then click Ok so that the Registry Editor is opened.
- Search for HKEY_LOCAL_MACHINESoftwareWorm.Win32.Netsky and right-click on the registry key found on the left pane then delete it.
- The last step is to check if it is still there or not. To do this, press F3 on your keyboard and type in Netsky. If there is any result, delete its reference.
The successful deletion of the Netsky worm is dependent on whether the files are successfully removed from your hard drive.
Final Words
Getting rid of the Sasser and Netsky worm might sound difficult or time-consuming. However, if you carefully follow the steps mentioned above, you are sure to do it quickly. But, if you really want to skip the hassle, make sure to have reliable antivirus and anti-malware software.
Summary: Get rid of Sasser and Netsky worms
- First, configure the XP firewall.
- Then, block ports 5554, 3127 and 6129 on your router or firewall if you have one.
- Next, run a full system scan with an updated antivirus program.
- After that install the latest patches for your operating system.
- Finally, install a reputable firewall program such as ZoneAlarm or Outpost Firewall Pro and keep it running.