After you install the 835732 (MS04-011) security update on a computer that is already infected with the Sasser worm, the computer may continue to generate network traffic on the affected Transmission Control Protocol (TCP) ports to try to spread the worm infection to other vulnerable computers. If your computer is infected with the Sasser worm, you may experience one or more of the following symptoms:
- Your computer performance is decreased or your network connection is slow.
- You may see a dialog box that contains text that refers to LSA Shell.
- Your computer may restart every few minutes without user input.
It is also possible that you will not notice any symptoms of infection. For example, the second and third symptoms may not occur on infected computers that have the 835732 security update installed, although the computer is still infected and is still spreading the worm to other computers.
For more information about the 835732 security update, visit the following Microsoft Web site: Note
Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. LSASS handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.
Microsoft has released a tool to remove the Sasser worm variants from computers that are running one or more of the products that are listed in the "Applies to" section.Important
Microsoft also recommends that you use an Internet firewall and a current antivirus program, and that you keep both Windows and your programs up-to-date.
For additional information about how to prevent viruses, and about how to recover from virus infections, click the following article number to view the article in the Microsoft Knowledge Base:
129972Download and setup information
Computer viruses: description, prevention, and recovery
If your computer is infected with any one of the A-D variants of the Sasser worm, use Automatic Updates to download and install the Sasser Worm Removal Tool, or visit the following Windows Update Web site and install the KB841720 critical update.
Release Date: May 4, 2004
For additional information about Automatic Updates, click the following article number to view the article in the Microsoft Knowledge Base:
Description of the Automatic Updates feature in Windows
To deploy this update, IT administrators can use Microsoft Software Update Services (SUS). For more information about SUS, visit the following Microsoft Web site: Notes
- The Sasser Worm Removal Tool does not work on computers that are running Microsoft Windows NT 4.0, Windows 95, Windows 98, Windows 98 Second Edition, Windows Millennium Edition, or any 64-bit versions of Windows.
- The Sasser Worm Removal Tool is only available for English (US) versions of Windows. However, you can run the English (US) tool on any language version of Windows.
- Many antivirus companies have also written tools to remove the Sasser worm. Most up-to-date antivirus programs will also remove this worm.
Sasser Worm Removal Tool
|Tool version||Sasscln.exe version||Worms removed||Operating systems supported||Installer file name||Distribution locations (date)|
|1.0||184.108.40.206||Sasser.A, Sasser.B||Windows XP, Windows 2000||Windows-KB841720-ENU.exe||Microsoft Download Center (May 1, 2004)|
|2.0||220.127.116.11||Sasser.A, Sasser.B, Sasser.C, Sasser.D||Windows XP, Windows 2000||Windows-KB841720-ENU-V2.exe||Microsoft Download Center (May 4, 2004), Windows Update|
|3.0||18.104.22.168||Sasser.A, Sasser.B, Sasser.C, Sasser.D, Sasser.E||Windows XP, Windows 2000||Windows-KB841720-ENU-V3.exe||Microsoft Download Center (May 9, 2004)|
|4.0||22.214.171.124||Sasser.A, Sasser.B, Sasser.C, Sasser.D, Sasser.E, Sasser.F||Windows XP, Windows 2000||Windows-KB841720-ENU-V4.exe||Microsoft Download Center (May 11, 2004)|
Sasser worm variants
|Worm (date discovered)||Versions of the tool that remove this worm|
|Sasser.A (April 30, 2004)||1.0, 2.0, 3.0, 4.0|
|Sasser.B (May 1, 2004)||1.0, 2.0, 3.0, 4.0|
|Sasser.C (May 1, 2004)||2.0, 3.0, 4.0|
|Sasser.D (May 2, 2004)||2.0, 3.0, 4.0|
|Sasser.E (May 8, 2004)||3.0, 4.0|
|Sasser.F (May 11, 2004)||4.0|
The Sasser Worm Removal Tool has the following prerequisites:
- Your computer must be running Microsoft Windows 2000 SP2 or later or a 32-bit version of Windows XP.
- You must log on as a computer administrator or as a member of the Administrators group.
For more information about how to determine whether a computer is running a 32-bit version of Windows XP or a 64-bit version of Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system
If these prerequisites are not met, the installation will not work, and you will receive an error message. For more information about the error message, view the following log file:
Additionally, it is a good idea to install the 835732 (MS04-011) security update before you run the Sasser Worm Removal Tool. Although version 4.0 of the removal tool will remove the worm from infected computers, it will not prevent re-infection if your computer is still vulnerable. By installing the 835732 security update before you run the removal tool, you can help prevent re-infection by the worm.
You do not have to restart your computer after you install this tool. Usage informationNote
Before you follow these steps, make sure that you have backed up all your important data.
When you install the Sasser Worm Removal Tool version 4.0 and accept the end-user license agreement (EULA), the installation package extracts the Sasscln.exe file to a temporary directory, and then the removal tool runs. The removal tool checks your computer for the prerequisites that are listed in the "Prerequisites
" section. If the prerequisites are met, the removal tool does the following:
- Searches in memory for evidence of the Sasser.A worm (Avserve.exe), the Sasser.B worm and the Sasser.C worm (Avserve2.exe), the Sasser.D worm (Skynetave.exe), the Sasser.E worm (Lsasss.exe), the Sasser.F worm (Napatch.exe). If the removal tool finds an infection, the worm process is ended.
- Searches for known Sasser A through F executable files on the hard disk and for Sasser-related entries in the Run keys in the registry. If the removal tool finds worm executable files on the hard disk, the removal tool deletes the files and removes the registry entries. Other tools may delete the worm files on the hard disk without deleting the registry values.
If a Sasser registry value no longer points to a file on the hard disk, the removal tool does not remove the "orphaned" registry value because the registry value will not cause any damage if the associated file does not exist on the hard disk.
- Displays a Windows message box that describes the outcome of the detection and removal process. The following list contains the messages that you may receive and what these messages mean to you:
Additionally, you will receive the following message if the tool determines that the 835732 (MS04-011) security update is not installed on your computer:
- "No infection detected" – The Sasser worm was not detected on this computer.
- "Successfully removed Worm_Name" – Worm_Name was removed. No additional action is required.
Note Worm_Name is a placeholder for one of the Sasser variants (A, B, C, D, E, or F).
- "This tool must be run by an administrator"
- "Fatal error, please review log file"
- "Worm_Name was detected, but could not be removed" – Try to run the tool again and check the log file for errors.
- “This tool requires Windows 2000 or Windows XP” – This tool is not supported on versions of Windows other than Windows 2000 and Windows XP.
- "Incorrect Windows version (Win32s)" – This tool is not supported on Windows 3.1 with Win32s.
When you close the message box, the removal tool quits, and the Sasscln.exe file is deleted from the temporary folder. You can now delete the Windows-KB841720-ENU-V4.exe file manually.
- “To prevent infection, please visit Windows Update (www.windowsupdate.com) and install KB835732” – You must install this update to prevent re-infection by the Sasser worm.
- The removal tool creates a log file that is named Sasscln.log in the %Windir%\Debug folder. You can view this log file to determine if Sasser infections were detected and were removed.
The removal tool installer supports the following command-line switches:
- /Q – Use quiet mode or suppress messages when the files are being extracted.
- /Q:U - Use user-quiet mode. User-quiet mode presents some dialog boxes to the user.
- /Q:A - Use administrator-quiet mode. Administrator-quiet mode does not present any dialog boxes to the user.
- /T: path – Specify the location of the temporary folder that is used by the Setup process or specify the target folder for extracting files (when used together with the /C switch).
- /C – Extract the files without installing them. If /T: path is not specified, you are prompted to specify a target folder.
- /C: cmd – Specify the path and the name of an alternate Setup .inf file or an .exe file to use to install the tool.
- /R:N - Never restart the computer after installation.
- /R:I - Prompt the user to restart the computer if a restart is required, except when this switch is used with the /Q:A switch.
- /R:A - Always restart the computer after installation.
- /R:S - Restart the computer after installation without prompting the user
For additional information about the supported installation switches, click the following article number to view the article in the Microsoft Knowledge Base:
Command-line switches for IExpress software update packages
The removal tool supports the following command-line switch:
- /S - Enables silent mode for the tool. This switch suppresses the infection status dialog box that you receive after the tool has run.
The Sasscln.exe file is automatically deleted from its temporary location after the removal tool runs. You can delete the tool's installer package after you install the removal tool.Note
After you install the Sasser Worm Removal Tool (KB841720), it does not appear in the Installed programs
list in the Add/Remove Programs tool in Control Panel.
Lsass.exe LSA Shell (Export Version) encountered a problem and needs to close Shutting down due to an unexpected termination of lsass.exe The instruction at 0x0087f878 referenced memory at 0x00000023 The memory could not be read LSA Shell (Export Version) has encountered a problem and needs to close We are sorry for the inconvenience This system is shutting down Please save all work in progress and log off Any unsaved changes will be lost This shutdown was initiated by NT AUTHORITY\SYSTEM Lsass lsass.exe sasser 1073741819 isass.exe W32.Sasser.A W32.Sasser.B W32.Sasser.C W32.Sasser.D W32.Sasser.E W32.Sasser.F