SASSOR WORM

message from =?Utf-8?B?TElOWg==?= on 2 Jun 2004
HOW DO I GET RID OF THE SASSER WORM IN WINDOWS XP
 
Shenan Stanley replied to =?Utf-8?B?TElOWg==?= on 3 Jun 2004
SASSER removal is in here:

BLASTER:
If you have Blaster, the Microsoft provided information on the matter can be
found here:
http://support.microsoft.com/?kbid=826955

The Microsoft recovery tool to assist you in its removal can be found here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=e70a0d8b-fe98-493f-ad76-bf673a38b4cf&DisplayLang=en
( Shorter Link: http://snipurl.com/3rq0 )

The Symantec Repair utility and manual removal instructions can be found
here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html

The McAfee "Stinger" utility to help remove the pest can be found here:
http://vil.nai.com/vil/stinger/

The patch that would have prevented this whole fiasco for you (XP):
http://www.microsoft.com/downloads/details.aspx?FamilyID=5fa055ae-a1ba-4d4a-b424-95d32cfc8cba&DisplayLang=en
( Shorter Link: http://snipurl.com/2d5x )

SASSER:
If you have Sasser, the Microsoft provided information on the matter can be
found here:
http://www.microsoft.com/security/incident/sasser.asp

The Microsoft recovery tool to assist you in its removal can be found here:
http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en
( Shorter Link: http://snipurl.com/63mw )

The Symantec Repair utility and manual removal instructions can be found
here:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html

The McAfee "Stinger" utility to help remove the pest can be found here:
http://vil.nai.com/vil/stinger/

The patch that would have prevented this whole fiasco for you(XP):
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en
( Shorter Link: http://snipurl.com/64oy )
** You MUST have Windows XP SP1a installed FIRST!

As far as Sasser removal, I have found Microsoft's instructions
(posted on these newsgroups earlier) work wonders (particularly changing
certain files to read-only) and the removal tool and subsequent patches
seem to repair 95% of the problems. True, some people have to ask
friends with CD burners for assistance, but it fixes their issues.

When cleaning a machine that is vulnerable to the Sasser worm it is
necessary to first prevent the LSASS.EXE process from crashing, which in
turn causes the machine to reboot after a 60 second delay. This reboot
cannot be aborted on Windows 2000 platforms using the Shutdown.exe or
psshutdown.exe utilities and can interfere with the downloading and
installation of the patch as well as removal of the worm.

1. To prevent LSASS.EXE from shutting down the machine during the cleaning
process:

a. Unplug the network cable from the machine
b. If you are running Windows XP you can enable the built-in Internet
Connection Firewall using the instructions found here:
Windows XP
http://support.microsoft.com/?id=283673
and then plug the machine back into the network and go to step 2.
c. If you are running Windows 2000, you won't have a built-in firewall
and must use the following work-around to prevent LSASS.EXE from
crashing.
 
Jupiter Jones [MVP] replied to =?Utf-8?B?TElOWg==?= on 3 Jun 2004
http://www3.telus.net/dandemar/sasser.htm
 

Archived message: SASSOR WORM (Microsoft Win XP)
 
Note: To make this discussion more readable on the page the original messages have been edited to remove most of the references and quoting.