Remove Sasser worm from your PC and prevent its return

by John McCormick | May 20, 2004 7:00:00 AM

Tags: Patches, SECURITY, Viruses and worms, PC, John McCormick, Sasser worm, patch, Microsoft Windows, Microsoft Windows 2000

Takeaway: Sasser is proving to be a real problem for many users and is now in its sixth or seventh generation. Fortunately, they all remove in the same way. Read on to learn about manual removal, removal tools, and how to prevent reinfection.

Sasser is a denial of service (DoS) threat to all versions of Windows 2000 and Windows XP, with the exception of the 64-bit version of XP. These Windows systems have a flaw known as LSASS, a buffer overrun in the Local Security Authority Subsystem Service. While only the W2K and XP operating systems are vulnerable to Sasser, older versions of Windows can run Sasser but can't be infected unless you specifically load the worm code into the PC.

Current situation

Although German police have apparently rounded up the people who created and initially spread the Sasser worm, the infection itself is continuing to wreak havoc because it infects even unattended systems and will continue to re-infect systems until the underlying vulnerability is patched. However, that is quite a challenge because infected systems keep rebooting, which can make it impossible to download the patch or even explore the Web looking for solutions.

Other than having a properly configured firewall in place (blocking TCP ports 445, 5554, and 9996), applying the patch provided in Microsoft Security Bulletin MS04-011 is the only certain way to protect your system from re-infection.

		More on Sasser Outbreak Prevention and cure Worm feeds on infected computers New variant indicates copycat Microsoft on how to prevent infection

The reason so many systems remain vulnerable is the bad experience many users have had when installing the patch. Microsoft Knowledge Base Article 835732 covers the known problems with the patch that include a complete shutdown of some Windows 2000 systems due to System process activity and the inability of some users to log onto Windows at all post-patch. There are also problems with Oracle on patched W2K systems. The only significant problem with patched XP systems is the inability to view some graphics files created with Adobe Illustrator.

Preparation

Removing Sasser is a multistep process, with the first problem being how to stop the computer from automatically rebooting long enough to download the patch and/or a removal tool.

Here is the process for all versions of Sasser from A through F as outlined by Symantec; bear in mind that you will only have about 20 seconds to complete the steps:

1. Disconnect from the Internet.
2. Restart.
3. As soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.
4. At the DOS prompt enter shutdown -i <ENTER>.

This opens the control panel for remote administration of other systems on the network but now you need to enter the name of your computer.

5. Click Add, enter the name, and then click OK.
6. Now modify the warning message delay setting from the standard 20 (seconds) to a large number such as 9999. After patching you can reset the warning message delay if you wish.

That should temporarily disable the shutdown sequence long enough for you to log onto the Internet and download the patch.

It may come as a surprise to many users who aren't connected to a network that their system has a name, either assigned by someone with Administrator privileges or automatically generated. To find your computer's name, open the Control Panel and click on the System icon. Since you must complete all those bulleted steps within 20 seconds or less, you will need to locate your system's name before beginning this process.

Microsoft's instructions for stopping the reboot cycle on XP systems tells you to simply enter shutdown.exe –a at the command prompt. That aborts the shutdown process and is obviously much faster if and when it works.

The above steps aren't necessary if you can download and install the patch; they aren't technically part of the Sasser removal process, which is described next.

 

Removal

You can download a removal tool from Symantec, F-Secure, and other antivirus vendors. Microsoft also has detailed instructions and there is an automated test tool on that page that can show if you have a Sasser infection and remove it. The automated removal tools stop the process, remove the worm files, and clean the Registry—if at all possible you should obtain one of these tools and remove Sasser with it because the manual process is cumbersome, to say the least.

Some of the following manual removal steps (terminating the malicious processes) may be necessary even if you intend to use a removal tool because some systems will be so tied up with Sasser processes that you can't use the computer.

You can improve performance by opening the Task Manager and locating avserve2.exe, avserve.exe, skynetave, and any process having a name beginning with a short string of digits followed by _up.exe, (for example, XXXXX_up.exe) and then clicking on those process names and clicking End Process to stop them.

XP comes with an automatic system restore feature that should also be disabled before removing any worm or virus because this is a backup tool that may save a copy of the infection if left running. Symantec has a complete description of the steps required but the basic steps are to go to the Control Panel, System dialog and check the box by Turn Off System Restore.

Manual removal requires that you delete all files identified as part of Sasser by an antivirus program.

The Registry is altered by Sasser, which means you will want to remove:

avserve2.exe"="%Windir%\avserve2.exe from:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

Variants continue

Newsfactor.com has reported that a new infection, Dabber (package.exe), attacks computers through Sasser, removing the Sasser worm and turning the PC into a server and planting a backdoor. Removal instructions for Dabber are found at Symantec, TrendMicro, Panda, and other AV vendor sites.

E Variant

Symantec reports that the E version of Sasser differs from the W32.Sasser.Worm in part as follows:

The process name is SkynetNotice, the file is lsasss.exe, and that name is used in the Registry line instead of avserve. You also need to block ports 1023 and 1022 at the firewall. And instead of XXXXX_up.exe, look for XXXXX_update.exe.

F Variant

The F version of Sasser also differs slightly from previous versions. The process name is billgate, the Sasser file name is napatch.exe, and that name is used in the Registry.

---

For inquiring minds

Sasser and all of its variants have been big news in IT recently. In the spirit of disseminating important information (and because we are curious), TechRepublic would like to know how many members actually had to deal with (or are continuing to deal with) the Sasser worm? How many computers have you personally disinfected for Sasser so far? How much dollar damage, in terms of lost productivity, has this worm caused for your organization? Add your story to the article discussion.

---

Print/View all Posts Comments on this article

SummerCon is here again and I'll be there Tech Locksmith | 05/20/04

Confronting Sasser caldeb@... | 05/20/04

Sasser...piece of cake jlbalga1955@... | 06/22/04

5 or 6, sth like this... Wyrmlord | 05/20/04

Virus Protection Udate craig.hirst@... | 05/27/04

Virus Protection Udate ajin | 05/27/04

Found Sasser After 2000 to XP Conversion rellis1949@... | 05/27/04

CompUSA Service david.ladd@... | 05/24/04

sasser delete k_6 | 05/24/04

Sasserdelete with NAI Raja_Alchemist | 05/25/04

hostname rrosca@... | 05/27/04

Security Update CD Bagmaster50 | 06/22/04

Virus prevention wim.ton@... | 05/27/04

Used XP restore function maynardkleve@... | 05/27/04

4 laptops hit with Sasser robertemcclellan@... | 06/22/04