Important!
Make it a habit to regularly check the HAL-PC homepage or www.hal-pc.org/ support/virus.html for updated information and links to removal tools.

Sasser Internet Worm is Spreading

This new threat can spread to your computer without e-mail by exploiting another critical security vulnerability in versions of Microsoft Windows 2000 and XP.

How can you tell if your computer is infected with the W32.Sasser.worm? Unfortunately you may see a dialog box with text that refers to LSASS.exe, or no symptoms at all. Others whose PCs are not infected may experience problems because the worm is attempting to attack their computer, and typical symptoms of that condition may include the computers rebooting every few minutes without user input.

Microsoft teams are investigating reports of this worm and its variants, and have verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue addressed in the Microsoft Security Update MS04-011 (KB835732) on April 13, 2004 (see www.microsoft.com/security/security_bulletins/200404_windows.asp).

What actually happens is that the worm copies itself to the Windows folder with the filename avserve.exe and sets the following registry key to auto-start on user logon:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe

Then the worm attempts to connect out on port TCP/9996 and TCP/445 and exploit the LSASS vulnerability. An FTP script is then downloaded and executed which connects back on port 5554 to download a copy of the worm via FTP.

To remove Sasser and its variants from your computer, you should do the following:

Enable a Firewall

First, enable a firewall on the affected computer. Before you take other steps, make sure you have a firewall activated to help protect your computer against this kind of infection. If your computer has been infected, activating firewall software first will help limit the effects of the worm on your computer. There is a comprehensive guide to installing and enabling a firewall on the Microsoft “Protect Your PC” site at www.microsoft.com/security/protect/.

Then disconnect the computer from the Internet and restart the computer. If you have problems rebooting, reboot in safe mode. Do all of the following steps in this order to find and end the tasks related to the worm and remove them.

  1. Press CTRL+ALT+DEL.
  2. Click the Task Manager.
  3. Click the Processes tab.
  4. Press and hold the CTRL key and then click C:\WINDOWS\avserve.exe and c:\WINDOWS\system32\*_up.exe.
  5. Click the End Task button. These steps turn off the process that is already running, but does not remove the files. So if you restart your system without completing the removal step below, they will load again.
  6. Click Start.
  7. Click Search to find and delete the following files: C:\WINDOWS\avserve.exe and C:\WINDOWS\system32\*_up.exe. This step actually removes the files themselves.
  8. Click Start again, click Run, and then type: regedit32
  9. Click OK.
  10. In Registry Editor, locate and delete the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "avserve.exe" = C:\WINDOWS\avserve.exe

Install the Required Update

Now you can connect the computer to the Internet again to go to the Windows Update site (windowsupdate.microsoft.com/), and click the Scan for Updates button. Download and install the critical updates recommended after the scan.

To protect your computer against the Sasser worm and its variants, you must specifically download and install the Microsoft Security Update MS04-011 from www.microsoft.com/security/security_bulletins/200404_windows.asp.

Removal Tool

Microsoft provides a tool to test Windows 2000 or Windows XP to search your hard drive for and try to remove the Sasser worm and its variants (KB841720). You can download it manually from www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en or click “Check My PC for Infection”on the www.microsoft.com/security/incident/sasser.asp page.

Important! To use this tool, you must have already installed the MS04-011 update. That’s a little tricky if you’re already infected, so you must follow these steps carefully.

Preventive Steps

To protect against this worm on systems that have not been infected, go to www.microsoft.com/technet/security/bulletin/ms04-011.mspx and install the Microsoft Security Update MS04-011 immediately. If you have a computer with Windows XP and have enabled the Windows XP Firewall or a third-party (software or hardware) firewall on any Windows OS, Microsoft says that you should be protected from attacks by this worm.

However, if you don’t have a firewall set up, go to the interactive page at www.microsoft.com/security/protect/ to view the specific steps and recommendations for your operating system, and make your computer more resistant to this type of attack when connecting to the Internet.

Check for other problems

Another tool from Microsoft is the Microsoft Baseline Security Analyzer (MBSA). MBSA Version 1.2 runs on Windows 2000 and XP with either a graphical or command line interface that can perform local or remote scans of Windows systems. The tool will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS), SQL Server, Internet Explorer, and Office. MBSA 1.2 will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS, SQL Server, IE, Exchange Server, Windows Media Player, Microsoft Data Access Components (MDAC), MSXML, Microsoft Virtual Machine, Commerce Server, Content Management Server, BizTalk Server, Host Integration Server, and Office. The MBSA can be found at download.microsoft.com/download/d/7/5/d757ff81-4f97-4a6d-a9d8-edea72363aa8/MBSASetup-en.msi.

Don’t let your guard down, this is a never-ending problem.