Security

TechProGuild FastAnswer: Sasser worm reboot problem can be delayed

The Sasser worm patch is easily applied to a system connected to the Internet. Unfortunately, that connection is not possible because of constant system reboots. This FastAnswer shows you how to delay the reboot so you can apply the patch.

To get full-time access to this and other time-saving resources and in-depth content, we invite you to become a TechProGuild subscriber.

Save time. TechProGuild members can download the preformatted, ready-to-print version of this FastAnswer handout. The next time the problem arises in your organization, simply print and distribute the file directly to end users or members of your IT staff.

The problem

Sasser is a denial of service (DoS) worm that exploits a flaw in a Windows 2000 or non-64-bit Windows XP machine's Local Security Authority Subsystem Service (LSASS). IT security pros must install a patch to prevent unattended systems from falling prey to Sasser's destruction. However, administering the patch is a challenge because infected systems keep rebooting before it can be installed.

The cause

Sasser causes a stack-based buffer overflow in certain Active Directory service functions in the LSASRV.DLL file of the LSASS. Applying the patch provided in Microsoft Security Bulletin MS04-011 is the only way to protect your system from reinfection.


Provide your feedback on this version

This is a version of one of TechProGuild's new FastAnswer handouts. The PDF download aims to save you time by eliminating the need to repeatedly research common questions and providing you with a preformatted, step-by-step solution you can pass directly to users or staff. Please send your comments and any recommended revisions to erik.eckel@techrepublic.com.


The solution

Here is the solution for expanding the amount of time it takes before your computer reboots due to the Sasser worm. Keep in mind that you will have only about 20 seconds to complete the steps, and you must already know the system's name before beginning this process:


Tip

To find your computer's name, open Control Panel and click on the System icon.


  1. Disconnect from the Internet.
  2. Restart.
  3. As soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.
  4. At the DOS prompt, enter shutdown -i and press [Enter].

This command opens the control panel for remote administration of other systems, but for this process you will just need to enter the name of your computer.

  1. Click Add, enter the name, and then click OK.
  2. Now modify the warning message delay setting from the standard 20 (seconds) to a large number, such as 9999. After patching, you can reset the warning message delay if you wish.

That should temporarily disable the shutdown sequence long enough for you to log on to the Internet and download the patch.

Alternative solution

An alternative method for stopping the reboot cycle on XP-only systems is to enter shutdown.exe –a at the command prompt. That aborts the shutdown process completely and is obviously much faster for XP systems.

Editor's Picks

Free Newsletters, In your Inbox