What You Should Know About the Sasser Worm
Posted: May 1, 2004
Microsoft teams and law enforcement authorities are investigating reports of a worm, identified as W32.Sasser.worm, that is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue fixed in Microsoft Security Update MS04-011 on April 13, 2004.
Products Affected by This Worm
Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, and Windows 2000 Service Pack 4
Windows XP and Windows XP Service Pack 1
Windows XP 64-bit Edition Service Pack 1
Products Not Affected by This Worm
Windows NT 4.0 Service Pack 6a
Windows XP 64-Bit Edition Version 2003
Windows Server 2003
Windows Server 2003 64-Bit Edition
How to Tell If Your Computer Is Infected
If your computer is infected with W32.Sasser.worm, you may see a dialog box with text that refers to LSASS.exe. Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computer. Typical symptoms may include systems rebooting every few minutes without user input.
Mitigation Steps for Affected Computers
If your computer is infected with the W32.Sasser.worm, please do the following:
Enable the Windows XP Internet Connection Firewall or a third-party firewall on the affected computer.
Disconnect the computer from the Internet.
Restart the computer. If you have problems rebooting, reboot in safe mode.
Click the Task Manager.
Click the Processes tab.
Press and hold the CTRL key and then click C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
Click the End Task button.
Click Search and then search for and delete the following files:
Click Start again, click Run, and then type: regedit32
In Registry Editor, locate and delete the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe
Connect the computer to the Internet.
Go to the Windows Update site, and click the Scan for Updates button.
Download and install the critical updates recommended after the scan.
Preventive Steps for Home Users
Customers can protect against this worm by installing Microsoft Security Update MS04-011 immediately.
If you have a computer with Windows XP and have enabled the Windows XP Firewall, you are protected from attacks by this worm. Also, most third-party firewalls will block this attack.