How to Remove Sasser worm virus
the Sasser worm?
The patch from Microsoft known as the MS04-011 Security Update fixes the following vulnerabilities:
Download the Windows patches for this vulnerability by clicking on the links below:
Visit the following site for patches for Windows NT, Windows XP 64-bit Edition, Windows Server 2003
What are the Symptoms of the Sasser worm?
You'll see a screen similar to the one below when you are infected, this will countdown to zero and literally shut down the system completely. The warning will state "This shutdown was initiated by NT AUTHORITY\SYSTEM". The message will state that the system process lsass.exe terminated unexpectedly.
The message may be prefaced by another message:
You can disable this shutdown by following the steps below during the countdown
This will terminate the shutdown, however in most cases the system may be to unstable to try to recover and may need to be rebooted anyway.
How Does Sasser Infect My Computer?
W32.Sasser.Worm runs, it does the following:
2) Copies itself as to the %Windir% directory. This is usually the C:\WINDOWS or C:\WINNT directory.
3) Adds the
4) Uses the AbortSystemShutdown API to hinder attempts to shut down or restart the computer.
5) Starts an FTP server on TCP port 5554. This server is used to spread the worm to other hosts.
6) Iterates through all the host IP addresses, looking for addresses without any of the following:
one of these IP addresses, the worm then generates a random IP address.
worm can create completely random addresses, any IP range can be
8) Connects to the randomly generated IP address on TCP port 445 to determine if a remote computer is online.
9) If a connection is made to a remote computer, the worm will send shell code to it, which may cause it to open a remote shell on TCP port 9996.
10) Uses the shell on the remote computer to connect back to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.
11) The Lsass.exe process will crash after the worm exploits the Windows LSASS vulnerability. Windows will display the alert and shut down the system in 1 minute.
a file at C:\win.log that contains the IP address of the computer that
the worm most recently attempted to infect, as well as the number of
How Can I Remove the Sasser worm?
Follow these steps in removing the Sasser worm.
1) Disconnect your computer from the local area network or Internet
2) Terminate the running program
3) Activate the Windows XP Firewall (if running Windows XP) or another firewall to prevent the worm from shutting your system down while downloading the patches. To activate the Windows XP firewall, follow these steps.
3) Download and Install the patches for the LSASS Vulnerability and others
5) Remove the Registry entries
6) Delete the infected files (for Windows ME and XP remember to turn off System Restore before searching for and deleting these files to remove infected backed up files as well)
7) Reboot the computer and update your antivirus software, and run a thorough virus scan using your favorite antivirus program.
For Automatic Removal of Sasser, download the Symantec removal tool, you'll still need to download the patches above and install them, however this removal tool will stop the Sasser worm from running, remove the items in the registry, and delete the infected files.
|Recommended Software for PC Hell Visitors|
iolo System Mechanic®
Emsisoft Anti Malware