Sasser Worm

• Discovered on 30 April 2004
• Exploits lsass.exe (lsasrv.dll) by buffer overrun

References

• Microsoft Security bulletin MS04-011
• Microsoft Knowledge Base article 835732
• Microsoft Incident Report
• Security Focus bugtraq 10108
• Trend Micro
• Symantec

Affected systems

Most Windows NT based operating systems (2000, XP, etc)

Symptoms

• LSA Shell crashes
• System shutdown timer (60 seconds) initiated by SYSTEM, stating that lsass.exe has crashed
• A FTP window might appear momentarily
• Hosts files (%SystemRoot%\system32\drivers\etc\hosts) filled with many anti-virus web sites pointing to 127.0.0.1
• avserve.exe or avserve2.exe and 12345_up.exe filling %windir% (12345 can be any integer number)
• Difficulties using Internet Explorer and other Internet applications

Solutions

Important

• Activate a firewall or turn off Internet connection before you proceed to the removal.
• After the removal, you still need to update Windows before you resume Internet connection!

Automatic Removal

• Trend Micro Damage Cleanup Service
• Microsoft Sasser removal tool
• Symantec Sasser removal tool

Manual Removal

Abort shutdown

1. If a shut down timer is active, go to Start, Run, type shutdown -a and press Enter.
2. If you do not have shutdown.exe, download it from here.

Stop malware processes

1. Press Ctrl+Alt+Del, (Windows 2000: Click Task Manager), go to Processes tab
2. Find all instances of "avserve.exe", "avserve2.exe" "12345_up.exe" (where 12345 is a number) and End Task all of them.

Safe mode

1. Restart to Safe Mode (Restart your computer (if you don't have "Shut down" in Start Menu, press the Power button once) and press F8 when Windows begins to load)

Remove files

1. Go to your Windows directory (such as C:\Windows)
2. Delete avserve.exe, avserve2.exe (you might not find both), 12345_up.exe (where 12345 is a number)

Remove registry entry

1. Open Registry Editor (Start, Run, regedit, Enter)
2. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
3. Click on the item "avserve.exe" or "avserve2.exe" and delete it.You might not find both of them.

Restore hosts file

1. Go to Start, Run, type notepad %systemroot%\system32\drivers\etc\hosts and press Enter.
2. You should find many lines such as 127.0.0.1 localhost. Remember to scroll down!
3. Delete all lines starting with 127.0.0.1 except 127.0.0.1 localhost.
4. Save the file and exit Notepad

Patches

• Windows 2000 sp2 and above
• Windows XP Home/Professional

Further Preventions

Strong passwords

• All accounts must have passwords. Passwords need to long enough, like 8 characters.

Firewall

• Windows XP has a built-in firewall. At the bare minimum, turn on Windows Firewall. For help, visit here.
• A hardware broadband router is a viable investment

Anti-virus

• Keep the virus pattern file up to date. Here are some popular anti-virus websites:
  • Symantec
  • TrendMicro
  • Panda
  • Grisoft
  • McAfee

Security Patches

• Perform Windows Update - Download and install all Critical Updates

This page is brought to you by

• paultwang
• #VirusHelp @ GalaxyNet team

Disclaimer

The above procedures work in most conditions. However, this is not a guarantee. The resources here are provided "AS IS". Use them at your own risk. We are not responsible if something does not work as expected.