To get full-time access to this and other time-saving resources and in-depth content, we invite you to become a TechProGuild subscriber.

Save time. TechProGuild members can download the preformatted,
ready-to-print version of this FastAnswer handout. The next time the problem
arises in your organization, simply print and distribute the file directly to
end users or members of your IT staff.

The problem

Sasser is a denial of service (DoS) worm that exploits a
flaw in a Windows 2000 or non-64-bit Windows XP machine’s Local Security
Authority Subsystem Service (LSASS). IT security pros must install a patch to
prevent unattended systems from falling prey to Sasser’s destruction. However, administering
the patch is a challenge because infected systems keep rebooting before it can
be installed.

The cause

Sasser causes a stack-based buffer overflow in certain
Active Directory service functions in the LSASRV.DLL file of the LSASS. Applying
the patch provided in Microsoft Security Bulletin MS04-011 is the only
way to protect your system from reinfection.


Provide your feedback on this version

This is a version of one of
TechProGuild’s new FastAnswer handouts. The PDF download aims to save you time by eliminating the need to
repeatedly research common questions and providing you with a preformatted,
step-by-step solution you can pass directly to users or staff. Please send your
comments and any recommended revisions to erik.eckel@techrepublic.com.


The solution

Here is the solution for expanding the amount of time it
takes before your computer reboots due to the Sasser worm. Keep in mind that
you will have only about 20 seconds to complete the steps, and you must already
know the system’s name before beginning this process:


Tip

To find your computer’s name, open Control Panel and click
on the System icon.


  1. Disconnect
    from the Internet.
  2. Restart.
  3. As
    soon as possible in the boot process, click on Start, Run, and enter cmd to open the command line interface.
  4. At the
    DOS prompt, enter shutdown -i and press [Enter].

This command opens the control
panel for remote administration of other systems, but for this process you will
just need to enter the name of your computer.

  1. Click
    Add, enter the name, and then click OK.
  2. Now
    modify the warning message delay setting from the standard 20 (seconds) to
    a large number, such as 9999. After patching, you can reset the warning
    message delay if you wish.

That should temporarily disable
the shutdown sequence long enough for you to log on to the Internet and
download the patch.

Alternative solution

An alternative method for stopping the reboot cycle on XP-only systems is to enter shutdown.exe –a at the command prompt. That aborts
the shutdown process completely and is obviously much faster for XP systems.