10-20-2005 06:40 AM - edited 03-15-2019 03:45 AM
Our publisher got worm. It keep sending huge traffic out with the tcp port 445. It's CCM 3.33sr4a with 2000-2-6. Based on the symptom it looks like sasser. it requires ms04-011, but 2000-2-6 contains that already. CCM is still working fine now. We'll patch it with the latest patch and CSA. Weird is the sub is not affected.
Besides upgrade patch, what else can we do to kill the worm?
10-20-2005 07:12 AM
go to trendmicro.com. they have free online scan and it is very good.
10-20-2005 07:23 AM
Also, at symantec.com you have sasser removal tool (a small exe) you download from the website and run it locally and it will scan the harddrive for affected files and remove it.
10-20-2005 07:32 AM
You could also use the stinger tool. I would highly recommend upgrading the OS to the latest version and then performing a scan.
10-20-2005 10:34 AM
Are you sure it is a worm?
Do you have NetBios over TCP disabled?
If the client has NBT disabled, it will always try to connect to the server at port 445 only. If the server answers on port 445, the session will be established and continue on that port. If it doesn't answer, the session will fail completely.
-Rob
10-25-2005 10:25 AM
Please go ahead and put 2000.2.7 SR7. That should take care of all future issues too.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: