A tool is available to remove the Sasser worm variants

• February 8, 2005: Microsoft replaced this tool with the Microsoft Windows Malicious Software Removal Tool. For additional information about the Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:
  890830

  (http://support.microsoft.com/kb/890830/ )

  The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000
• May 11, 2004: Microsoft released version 4.0 of the Sasser Worm Removal Tool to the Microsoft Download Center. Version 4.0 adds support for detecting and for removing the Sasser.F variant of the worm.
• May 09, 2004: Microsoft released version 3.0 of the Sasser Worm Removal Tool to the Microsoft Download Center. Version 3.0 adds support for detecting and for removing the Sasser.E variant of the worm.
• May 04, 2004: Microsoft released version 2.0 of the Sasser Worm Removal Tool to the Microsoft Download Center and to the Windows Update Web site. Version 2.0 adds support for detecting and for removing the Sasser.C variant of the worm and the Sasser.D variant of the worm.
• May 01, 2004: Microsoft released version 1.0 of the Sasser Worm Removal Tool to the Microsoft Download Center. Version 1.0 detects and removes the Sasser.A worm and the Sasser.B worm.

Back to the top | Give Feedback

• Your computer performance is decreased or your network connection is slow.
• You may see a dialog box that contains text that refers to LSA Shell.
• Your computer may restart every few minutes without user input.

Back to the top | Give Feedback

• Consumers
  http://www.microsoft.com/security/incident/sasser.mspx
  (http://www.microsoft.com/security/incident/sasser.mspx)
• IT Professionals
  http://www.microsoft.com/security/portal/
  (http://www.microsoft.com/security/portal/)

Back to the top | Give Feedback

Download and setup information

• The Sasser Worm Removal Tool does not work on computers that are running Microsoft Windows NT 4.0, Windows 95, Windows 98, Windows 98 Second Edition, Windows Millennium Edition, or any 64-bit versions of Windows.
• The Sasser Worm Removal Tool is only available for English (US) versions of Windows. However, you can run the English (US) tool on any language version of Windows.
• Many antivirus companies have also written tools to remove the Sasser worm. Most up-to-date antivirus programs will also remove this worm.

Release information

Sasser Worm Removal Tool

Sasser worm variants

Prerequisites

• Your computer must be running Microsoft Windows 2000 SP2 or later or a 32-bit version of Windows XP.
• You must log on as a computer administrator or as a member of the Administrators group.

Restart requirement

Usage information

1. Searches in memory for evidence of the Sasser.A worm (Avserve.exe), the Sasser.B worm and the Sasser.C worm (Avserve2.exe), the Sasser.D worm (Skynetave.exe), the Sasser.E worm (Lsasss.exe), the Sasser.F worm (Napatch.exe). If the removal tool finds an infection, the worm process is ended.
2. Searches for known Sasser A through F executable files on the hard disk and for Sasser-related entries in the Run keys in the registry. If the removal tool finds worm executable files on the hard disk, the removal tool deletes the files and removes the registry entries. Other tools may delete the worm files on the hard disk without deleting the registry values.
   
   If a Sasser registry value no longer points to a file on the hard disk, the removal tool does not remove the "orphaned" registry value because the registry value will not cause any damage if the associated file does not exist on the hard disk.
3. Displays a Windows message box that describes the outcome of the detection and removal process. The following list contains the messages that you may receive and what these messages mean to you:
   • "No infection detected" – The Sasser worm was not detected on this computer.
   • "Successfully removed Worm_Name" – Worm_Name was removed. No additional action is required.
     
     Note Worm_Name is a placeholder for one of the Sasser variants (A, B, C, D, E, or F).
   • "This tool must be run by an administrator"
   • "Fatal error, please review log file"
   • "Worm_Name was detected, but could not be removed" – Try to run the tool again and check the log file for errors.
   • “This tool requires Windows 2000 or Windows XP” – This tool is not supported on versions of Windows other than Windows 2000 and Windows XP.
   • "Incorrect Windows version (Win32s)" – This tool is not supported on Windows 3.1 with Win32s.
   Additionally, you will receive the following message if the tool determines that the 835732 (MS04-011) security update is not installed on your computer:
   • “To prevent infection, please visit Windows Update (www.windowsupdate.com
     (http://www.windowsupdate.com/)
     ) and install KB835732” – You must install this update to prevent re-infection by the Sasser worm.
   When you close the message box, the removal tool quits, and the Sasscln.exe file is deleted from the temporary folder. You can now delete the Windows-KB841720-ENU-V4.exe file manually.
4. The removal tool creates a log file that is named Sasscln.log in the %Windir%\Debug folder. You can view this log file to determine if Sasser infections were detected and were removed.

Command-line switches

• /Q – Use quiet mode or suppress messages when the files are being extracted.
• /Q:U - Use user-quiet mode. User-quiet mode presents some dialog boxes to the user.
• /Q:A - Use administrator-quiet mode. Administrator-quiet mode does not present any dialog boxes to the user.
• /T: path – Specify the location of the temporary folder that is used by the Setup process or specify the target folder for extracting files (when used together with the /C switch).
• /C – Extract the files without installing them. If /T: path is not specified, you are prompted to specify a target folder.
• /C: cmd – Specify the path and the name of an alternate Setup .inf file or an .exe file to use to install the tool.
• /R:N - Never restart the computer after installation.
• /R:I - Prompt the user to restart the computer if a restart is required, except when this switch is used with the /Q:A switch.
• /R:A - Always restart the computer after installation.
• /R:S - Restart the computer after installation without prompting the user

• /S - Enables silent mode for the tool. This switch suppresses the infection status dialog box that you receive after the tool has run.

Removal information

Back to the top | Give Feedback

Frequently asked questions

• Q1: Does this tool provide my computer with protection against a Sasser worm infection?
  
  A1: No. This tool removes the Sasser worm from an infected computer. To help prevent infection, you must install the 835732 security update.
• Q2: What variants of the Sasser worm does this tool remove?
  
  A2: This tool removes Sasser.A, Sasser.B, Sasser.C, Sasser.D, Sasser.E, and Sasser.F.
• Q3: How does this tool work?
  
  A3: This tool is provided in an IExpress installation package (Windows-KB841720-ENU-V4.exe). When you run the installer, the package extracts the Sasscln.exe file to a temporary directory and then runs the removal tool. Sasscln.exe 3.0 removes any copies of the Sasser A, Sasser.B, Sasser.C, Sasser.D, Sasser.E, and Sasser.F worms on your computer, if they exist. After the removal tool has performed these actions, you receive a status dialog box, and then the removal tool quits. The Sasscln.exe file is automatically deleted from the temporary folder, and you can manually delete the installer package. For more information about the IExpress installation package, visit the following Microsoft Web site:
  http://technet.microsoft.com/en-us/library/dd346760.aspx

  (http://technet.microsoft.com/en-us/library/dd346760.aspx)
• Q4: May I redistribute the Sasser Worm Removal Tool?
  
  A4: No. All customers must download the Sasser Worm Removal Tool (Windows-KB841720-ENU-V4.exe) from the Microsoft Web site.
• Q5: May I redistribute the Sasscln.exe file?
  
  A5: No. Redistribution of the Sasscln.exe file is not supported.
• Q6: Is this tool digitally signed by Microsoft?
  
  A6: Yes. Both the installer package and the Sasscln.exe file are digitally signed by Microsoft.
• Q7: How do I run this tool?
  
  A7: See the "Download and setup information" section.
• Q8: How do I know if this tool has removed the Sasser worm?
  
  A8: You will see a results dialog box after the removal tool runs. Additionally, you can review the Sasscln.log log file for the following entries:
  • "No Worm_Name infection found" indicates that no infection was found.
  • "Worm_Name found and removed" indicates that the Worm_Name worm was found and was removed.
  • "Worm_Name found and will be removed at next reboot" indicates that the Worm_Name worm was found and that it will be removed when you restart your computer.
• Q9: Is there a Microsoft Windows Installer (.msi) package for this tool?
  
  A9: No. This tool uses an IExpress package for execution.
• Q10: Can this tool be removed (uninstalled)?
  
  A10: Yes. See the "Removal information" section.
• Q11: Will Microsoft make this tool available in other languages?
  
  A11: Currently, this release is only available in English (US).
• Q12: I am running a 64-bit version of Windows XP. Can I install this tool?
  
  A12: No. Currently, this tool supports only 32-bit operating systems.
• Q13: I ran a Sasser removal tool from my antivirus vendor or I have an up-to-date antivirus program. Do I have to install this one, too?
  
  A13: Generally, no. Removal tools that are provided by antivirus vendors should remove any Sasser infections. However, installing the Sasser Worm Removal Tool on an uninfected computer should have no negative effects.
• Q14: Does this tool gather information from my computer and then send it to Microsoft?
  
  A14: No information is sent back to Microsoft when you install or run this tool.
• Q15: If this tool does not remove the Sasser worm from my computer, what should I do?
  
  A15: Run an up-to-date antivirus program on your computer.
• Q16: Does this tool create a log file to let me know if an infection was found or removed? If so, what is the name of the log file? Where is the log file located?
  
  A16: See the "Usage information" section.
• Q17: How do I know when this tool is finished running on my computer?
  
  A17: After you click OK to confirm the results of running the tool, the tool has finished running on your computer. To verify the results, view the Sasscln.log log file. For more information, see the "Usage information" section.
• Q18: Can I run this tool on a remote computer on my network?
  
  A18: No.
• Q19: What command-line switches can I use with the installer package?
  
  A19: See the "Command-line switches" section.
• Q20: Is this tool a replacement for an antivirus product?
• A20: No. Microsoft recommends that you install and use an up-to-date antivirus program.
• Q21: Will my antivirus program interfere with this tool?
  
  A21: If your antivirus program is running on an infected computer when the removal tool runs, the antivirus program may detect the Sasser worm and may prevent the removal tool from removing the Sasser worm. In this case, you can use your antivirus program to remove the Sasser infection.
  
  Note The Sasscln.exe file does not contain a virus or a worm. Therefore, the removal tool alone should not trigger your antivirus program. However, if the Sasser worm infected your computer before an up-to-date antivirus program was installed, and scheduled virus scanning or background virus scanning is disabled, your antivirus program might not detect the worm until the Sasser Worm Removal Tool tries to remove the worm.
  
  In any situation other than this situation, the Sasser Worm Removal Tool should not conflict with or interfere with your antivirus program. You do not have to disable or remove your antivirus program when you install this tool.
• Q22: How does this tool work with the System Restore feature in Windows XP?
  
  A22: This tool does not create a system restore point.
• Q23: Can I use the Microsoft Baseline Security Analyzer (MBSA) to identify computers that require this tool?
  
  A23: No. You can use MBSA to help determine whether computers have the 835732 security update installed. However, MBSA cannot identify computers that are infected with the Sasser worm.
• Q24: What user rights and other prerequisites do I have to have to run this tool?
  
  A24: See the "Prerequisites" section.
• Q25: Will this tool be part of Windows XP Service Pack 2?
  
  A25: No.
• Q26: Can this update be deployed through Microsoft Systems Management Server and through other systems management software?
  
  A26: Yes. However, as with any large deployment, it is a good idea to test the installation of the tool and the removal of the tool on many computers before you extend the update to the whole corporation. You can use the following single command to run the installer package in quiet mode and to run the tool in silent mode:
  Windows-KB841720-ENU-V4.exe /Q /C:"sasscln.exe /S"
• Q27: The KB841720 critical update was not installed on my computer by Automatic Updates. Additionally, when I visit Windows Update and scan for updates, the KB841720 critical update is not available for me to install. Why?
  
  A27: For the KB841720 critical update to be available on Windows Update and through Automatic Updates, your computer must meet the requirements that are described in the "Prerequisites" section.
  
  Additionally, the KB841720 critical update will not be available to install from Windows Update or through Automatic Updates if your computer does not appear to be infected with the Sasser worm.

Back to the top | Give Feedback