What does the worm try to do in your system:
# Attempts to create a mutex called Jobaka3l and exits if the attempt fails. This ensures that no more than one instance of the worm can run on the computer at any time.
# Copies itself as %Windir%\avserve.exe.
Note: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.
If you run as a Limited User (at least for these couple of days), the worm will NOT have rights to copy itself to the Windows directory and you will be safer.
But if you are too late....
Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm, please do the following:
Enable the Windows XP Internet Connection Firewall or a third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting, reboot in safe mode.
Press CTRL+ALT+DEL.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Start.
Click Search and then search for and delete the following files:
C:\WINDOWS\avserve.exe
C:\WINDOWS\system32\*_up.exe
Click Start again, click Run, and then type: regedit32
Click OK.
In Registry Editor, locate and delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Go to the Windows Update site, and click the Scan for Updates button.
Download and install the critical updates recommended after the scan.
Source:
www.Bink.nu
Threaded Mode
