Sasser Worm Strikes

Latest worm is slow moving and doesn't use email to spread.

By Roman Loyola

Tech security experts always tell you to never open email attachments without a confirmation from the email sender. That's because executables sent in the mail as attachments are usually used by viruses and worm to spread to other users. The latest worm to be released, Sasser, is an exception. It doesn't spread through email.

Sasser spreads by attacking a flaw in Microsoft Windows XP and 2000's Local Security Authority Subsystem Service (LSASS). Windows systems that have applied Microsoft Windows Update patch 835732 are protected against the Sasser worm. Sasser essentially looks for a port vulnerability on a randomly generated IP address. When it finds an opening, it overflows a buffer in LSASS.EXE. Sasser then uses FTP and connects back to the originating computer to download a copy of the worm.

According to early reports, Sasser has infected about 10,000 computers, and new variants are being released. Learn more about how Sasser works. Microsoft has set up an informational website about Sasser.

Remove Sasser

Sasser starts 128 threads that scan randomly chosen IP addresses. Because this process is CPU intensive, your computer will experience performance degradation. In some instances, your computer may be too slow to use. An infected computer will also display LSA Shell errors.

If you think you have the Sasser worm, there are removal tools available on the Internet. Click on one of the links below for a removal tool.

You can also remove Sasser manually by following these steps.

  1. Disconnect your computer from the Internet.
  2. Boot in Safe Mode by pressing the F8 key during startup.
  3. Navigate to your Windows directory (c:\WINDOWS or c:\WINNT) on your hard drive.
  4. Look for a file named AVSERVE.EXE. Delete it.
  5. Click on the Start menu and select Run.
  6. Type "regedit" (without quotes).
  7. Navigate to the following Registry key:
  8. In the windows to the right, look for a value called avserve. Delete it.
  9. Exit RegEdit.
  10. Reboot.

Protect yourself from Sasser

If you do not have Sasser, or you just removed it from your system, you need to prevent future infection by installing the security update that fixes the LSASS vulnerability. The update is labeled 835732 and is available at Microsoft's Windows Update site.

Microsoft also recommends using a firewall to prevent unwanted Internet traffic from attacking your computer. You can activate the built-in XP firewall using these instructions, or you can use a free third-party firewall such as ZoneAlarm.


Originally posted May 3, 2004