Sasser
is a denial of service (DoS) threat to all versions of Windows 2000 and Windows
XP, with the exception of the 64-bit version of XP. These Windows systems have
a flaw known as LSASS, a buffer overrun in the Local Security Authority
Subsystem Service. While only the W2K and XP operating systems are vulnerable
to Sasser, older versions of Windows can run Sasser but can’t be infected
unless you specifically load the worm code into the PC.

Current situation

Although German police
have apparently rounded up the people who created and initially spread the
Sasser worm, the infection itself is continuing to wreak havoc because it
infects even unattended systems and will continue to re-infect systems until
the underlying vulnerability is patched. However, that is quite a challenge
because infected systems keep rebooting, which can make it impossible to
download the patch or even explore the Web looking for solutions.

Other than having a properly configured firewall in place
(blocking TCP ports 445, 5554, and 9996), applying the patch provided in
Microsoft Security Bulletin MS04-011 is the only certain way to protect your system from
re-infection.


More on Sasser Outbreak

Prevention and cure


Worm feeds on infected computers


New variant indicates copycat

Microsoft on how to prevent infection


The reason so many systems remain vulnerable is the bad
experience many users have had when installing the patch. Microsoft Knowledge
Base Article 835732 covers the known problems with the patch that include a
complete shutdown of some Windows 2000 systems due to System process activity
and the inability of some users to log onto Windows at all post-patch. There
are also problems with Oracle on patched W2K systems. The only significant
problem with patched XP systems is the inability to view some graphics files
created with Adobe Illustrator.

Preparation

Removing Sasser is a multistep process, with the first
problem being how to stop the computer from automatically rebooting long enough
to download the patch and/or a removal tool.

Here is the process for all versions of Sasser from A
through F as outlined by Symantec; bear in mind that you will only have about
20 seconds to complete the steps:

  1. Disconnect
    from the Internet.
  2. Restart.
  3. As
    soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line
    interface.
  4. At
    the DOS prompt enter shutdown -i
    <ENTER>
    .
  5. This opens the control panel for remote administration of
    other systems on the network but now you need to enter the name of your computer.

  1. Click
    Add, enter the name, and then click OK.
  2. Now
    modify the warning message delay setting from the standard 20 (seconds) to
    a large number such as 9999. After patching you can reset the warning
    message delay if you wish.

That should temporarily disable the shutdown sequence long
enough for you to log onto the Internet and download the patch.

It may come as a surprise to many users who aren’t connected
to a network that their system has a name, either assigned by someone with
Administrator privileges or automatically generated. To find your computer’s
name, open the Control Panel and click on the System icon. Since you must
complete all those bulleted steps within 20 seconds or less, you will need to
locate your system’s name before beginning this process.

Microsoft’s instructions for stopping the reboot cycle on XP systems
tells you to simply enter shutdown.exe –a
at the command prompt. That aborts the shutdown process and is obviously much
faster if and when it works.

The above steps aren’t necessary if you can download and
install the patch; they aren’t technically part of the Sasser removal process,
which is described next.

 

Removal

You can download a removal tool from Symantec, F-Secure,
and other antivirus vendors. Microsoft
also has detailed instructions
and there is an automated test tool on that
page that can show if you have a Sasser infection and remove it. The automated
removal tools stop the process, remove the worm files, and clean the Registry—if
at all possible you should obtain one of these tools and remove Sasser with it
because the manual process is cumbersome, to say the least.

Some of the following manual removal steps (terminating the
malicious processes) may be necessary even if you intend to use a removal tool
because some systems will be so tied up with Sasser processes that you can’t
use the computer.

You can improve performance by opening the Task Manager and
locating avserve2.exe, avserve.exe, skynetave, and any process having a name
beginning with a short string of digits followed by _up.exe, (for example, XXXXX_up.exe) and then clicking on those
process names and clicking End Process to stop them.

XP comes with an automatic system restore feature that
should also be disabled before removing any worm or virus because this is a
backup tool that may save a copy of the infection if left running. Symantec has
a complete description of the steps required but the basic steps
are to go to the Control Panel, System dialog and check the box by Turn Off
System Restore.

Manual removal requires that you delete all files identified
as part of Sasser by an antivirus program.

The Registry is altered by Sasser, which means you will want
to remove:

avserve2.exe”=”%Windir%\avserve2.exe
from:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.

Variants continue

Newsfactor.com has reported that a new infection, Dabber (package.exe), attacks
computers through Sasser, removing the Sasser worm and turning the PC into a
server and planting a backdoor. Removal instructions for Dabber are found at Symantec, TrendMicro, Panda, and other AV vendor sites.

E Variant

Symantec
reports that the E version of Sasser differs from the W32.Sasser.Worm in part
as follows:

The
process name is SkynetNotice, the
file is lsasss.exe, and that name is
used in the Registry line instead of avserve.
You also need to block ports 1023 and 1022 at the firewall. And instead of
XXXXX_up.exe, look for XXXXX_update.exe.

F Variant

The F
version of Sasser also differs slightly from previous versions. The process
name is billgate, the Sasser file
name is napatch.exe, and that name is
used in the Registry.


For inquiring minds

Sasser
and all of its variants have been big news in IT recently. In the spirit of
disseminating important information (and because we are curious), TechRepublic
would like to know how many members actually had to deal with (or are
continuing to deal with) the Sasser worm? How many computers have you
personally disinfected for Sasser so far? How much dollar damage, in terms of
lost productivity, has this worm caused for your organization? Add your story
to the article discussion.