Microsoft has released a tool to help you remove the Sasser worm variants from your computer. If you are running Microsoft Windows 2000 Service Pack 2 (SP2) or later or a 32-bit version of Microsoft Windows XP, the Windows Update Web site and Automatic Updates will offer you version 2.0 of the Microsoft Sasser Worm Removal Tool to remove Sasser.A, Sasser.B, Sasser.C, and Sasser.D infections.
Version 4.0 of the Sasser Worm Removal Tool includes support for removing the Sasser.A, Sasser.B, Sasser.C, Sasser.D, and Sasser.E variants of the worm and adds support for removing the Sasser.F variant of the worm. Version 4.0 is available from the Microsoft Download Center.
May 11, 2004: Microsoft released version 4.0 of the Sasser
Worm Removal Tool to the Microsoft Download Center. Version 4.0 adds support
for detecting and for removing the Sasser.F variant of the worm.
May 09, 2004: Microsoft released version 3.0 of the Sasser
Worm Removal Tool to the Microsoft Download Center. Version 3.0 adds support
for detecting and for removing the Sasser.E variant of the worm.
May 04, 2004: Microsoft released version 2.0 of the Sasser
Worm Removal Tool to the Microsoft Download Center and to the Windows Update
Web site. Version 2.0 adds support for detecting and for removing the Sasser.C
variant of the worm and the Sasser.D variant of the worm.
May 01, 2004: Microsoft released version 1.0 of the Sasser
Worm Removal Tool to the Microsoft Download Center. Version 1.0 detects and
removes the Sasser.A worm and the Sasser.B worm.
After you install the 835732 (MS04-011) security update on a
computer that is already infected with the Sasser worm, the computer may
continue to generate network traffic on the affected Transmission Control
Protocol (TCP) ports to try to spread the worm infection to other vulnerable
computers. If your computer is infected with the Sasser worm, you may
experience one or more of the following symptoms:
Your computer performance is decreased or your network
connection is slow.
You may see a dialog box that contains text that refers to
Your computer may restart every few minutes without user
It is also possible that you will not notice any symptoms of
infection. For example, the second and third symptoms may not occur on infected
computers that have the 835732 security update installed, although the computer
is still infected and is still spreading the worm to other
For more information about the 835732 security update,
visit the following Microsoft Web site:
Note Local Security Authority Subsystem Service (LSASS) provides an
interface for managing local security, domain authentication, and Active
Directory processes. LSASS handles authentication for the client and for the
server. It also contains features that are used to support Active Directory
This behavior occurs because your computer is infected with
the Sasser worm. Together with using a firewall and installing the 835732
security update, you must also remove the Sasser worm from any infected
computers. A firewall and the 835732 security update prevent the Sasser worm
from infecting your computer. However, you must also take steps to remove any
infection that existed before you implemented these preventive measures.
For more information about how to determine whether your computer is
infected with the Sasser worm, visit the following Microsoft Web sites:
Computer viruses: description, prevention, and recovery
Download and setup information
If your computer is infected with any one of the A-D variants of
the Sasser worm, use Automatic Updates to download and install the Sasser Worm
Removal Tool, or visit the following Windows Update Web site and install the
KB841720 critical update.
The Sasser Worm Removal Tool does not work on computers
that are running Microsoft Windows NT 4.0, Windows 95, Windows 98, Windows 98
Second Edition, Windows Millennium Edition, or any 64-bit versions of
The Sasser Worm Removal Tool is only available for English
(US) versions of Windows. However, you can run the English (US) tool on any
language version of Windows.
Many antivirus companies have also written tools to remove
the Sasser worm. Most up-to-date antivirus programs will also remove this worm.
Sasser Worm Removal Tool
Collapse this tableExpand this table
Operating systems supported
Installer file name
Distribution locations (date)
Windows XP, Windows
Microsoft Download Center (May 1,
Sasser.A, Sasser.B, Sasser.C,
Windows XP, Windows
Microsoft Download Center (May
4, 2004), Windows Update
The Sasser Worm Removal Tool has the following prerequisites:
Your computer must be running Microsoft Windows 2000 SP2 or
later or a 32-bit version of Windows XP.
You must log on as a computer administrator or as a member
of the Administrators group.
For more information about how to determine whether a computer is
running a 32-bit version of Windows XP or a 64-bit version of Windows
XP, click the following article number to view the article in the Microsoft Knowledge Base:
How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system
If these prerequisites are not met, the
installation will not work, and you will receive an error message. For more
information about the error message, view the following log file:
Additionally, it is a good idea to install the 835732 (MS04-011)
security update before you run the Sasser Worm Removal Tool. Although version
4.0 of the removal tool will remove the worm from infected computers, it will
not prevent re-infection if your computer is still vulnerable. By installing
the 835732 security update before you run the removal tool, you can help
prevent re-infection by the worm.
You do not have to restart your computer after you install this
Note Before you follow these steps, make sure that you have backed up
all your important data.
When you install the Sasser Worm Removal
Tool version 4.0 and accept the end-user license agreement (EULA), the
installation package extracts the Sasscln.exe file to a temporary directory,
and then the removal tool runs. The removal tool checks your computer for the
prerequisites that are listed in the "Prerequisites" section. If the prerequisites
are met, the removal tool does the following:
Searches in memory for evidence of the Sasser.A worm
(Avserve.exe), the Sasser.B worm and the Sasser.C worm (Avserve2.exe), the
Sasser.D worm (Skynetave.exe), the Sasser.E worm (Lsasss.exe), the Sasser.F
worm (Napatch.exe). If the removal tool finds an infection, the worm process is
Searches for known Sasser A through F executable files on
the hard disk and for Sasser-related entries in the Run keys in the registry. If the removal tool finds worm executable
files on the hard disk, the removal tool deletes the files and removes the
registry entries. Other tools may delete the worm files on the hard disk
without deleting the registry values.
If a Sasser registry value no
longer points to a file on the hard disk, the removal tool does not remove the
"orphaned" registry value because the registry value will not cause any damage
if the associated file does not exist on the hard disk.
Displays a Windows message box that describes the outcome
of the detection and removal process. The following list contains the messages
that you may receive and what these messages mean to you:
"No infection detected" – The Sasser worm was not
detected on this computer.
Worm_Name" – Worm_Name
was removed. No additional action is required.
Note Worm_Name is a placeholder for one of
the Sasser variants (A, B, C, D, E, or F).
"This tool must be run by an administrator"
"Fatal error, please review log file"
"Worm_Name was detected, but
could not be removed" – Try to run the tool again and check the log file for
“This tool requires Windows 2000 or Windows XP” – This
tool is not supported on versions of Windows other than Windows 2000 and
"Incorrect Windows version (Win32s)" – This tool is not
supported on Windows 3.1 with Win32s.
Additionally, you will receive the following message if the
tool determines that the 835732 (MS04-011) security update is not installed on
Q1: Does this tool provide my computer with protection against a Sasser worm infection?
A1: No. This tool removes the Sasser worm from an infected computer.
To help prevent infection, you must install the 835732 security
Q2: What variants of the Sasser worm does this tool remove?
A2: This tool removes Sasser.A, Sasser.B, Sasser.C, Sasser.D,
Sasser.E, and Sasser.F.
Q3: How does this tool work?
A3: This tool is provided in an IExpress installation package
(Windows-KB841720-ENU-V4.exe). When you run the installer, the package extracts
the Sasscln.exe file to a temporary directory and then runs the removal tool.
Sasscln.exe 3.0 removes any copies of the Sasser A, Sasser.B, Sasser.C,
Sasser.D, Sasser.E, and Sasser.F worms on your computer, if they exist. After
the removal tool has performed these actions, you receive a status dialog box,
and then the removal tool quits. The Sasscln.exe file is automatically deleted
from the temporary folder, and you can manually delete the installer package.
For more information about the IExpress installation package, visit the
following Microsoft Web site:
Q11: Will Microsoft make this tool available in other languages?
A11: Currently, this release is only available in English
Q12: I am running a 64-bit version of Windows XP. Can I install this tool?
A12: No. Currently, this tool supports only 32-bit operating
Q13: I ran a Sasser removal tool from my antivirus vendor or I have an up-to-date antivirus program. Do I have to install this one, too?
A13: Generally, no. Removal tools that are provided by antivirus
vendors should remove any Sasser infections. However, installing the Sasser
Worm Removal Tool on an uninfected computer should have no negative
Q14: Does this tool gather information from my computer and then send it to Microsoft?
A14: No information is sent back to Microsoft when you install or run
Q15: If this tool does not remove the Sasser worm from my computer, what should I do?
A15: Run an up-to-date antivirus program on your computer.
Q16: Does this tool create a log file to let me know if an infection was found or removed? If so, what is the name of the log file? Where is the log file located?
Q17: How do I know when this tool is finished running on my computer?
A17: After you click OK to confirm the results of
running the tool, the tool has finished running on your computer. To verify the
results, view the Sasscln.log log file. For more information, see the
Q18: Can I run this tool on a remote computer on my network?
Q19: What command-line switches can I use with the installer package?
Q20: Is this tool a replacement for an antivirus product?
A20: No. Microsoft recommends that you install and use an up-to-date
Q21: Will my antivirus program interfere with this tool?
A21: If your antivirus program is running on an infected computer
when the removal tool runs, the antivirus program may detect the Sasser worm
and may prevent the removal tool from removing the Sasser worm. In this case,
you can use your antivirus program to remove the Sasser infection.
Note The Sasscln.exe file does not contain a virus or a worm.
Therefore, the removal tool alone should not trigger your antivirus program.
However, if the Sasser worm infected your computer before an up-to-date
antivirus program was installed, and scheduled virus scanning or background
virus scanning is disabled, your antivirus program might not detect the worm
until the Sasser Worm Removal Tool tries to remove the worm.
situation other than this situation, the Sasser Worm Removal Tool should not
conflict with or interfere with your antivirus program. You do not have to
disable or remove your antivirus program when you install this tool.
Q22: How does this tool work with the System Restore feature in Windows XP?
A22: This tool does not create a system restore point.
Q23: Can I use the Microsoft Baseline Security Analyzer (MBSA) to identify computers that require this tool?
A23: No. You can use MBSA to help determine whether computers have
the 835732 security update installed. However, MBSA cannot identify computers
that are infected with the Sasser worm.
Q24: What user rights and other prerequisites do I have to have to run this tool?
Q25: Will this tool be part of Windows XP Service Pack 2?
Q26: Can this update be deployed through Microsoft Systems Management Server and through other systems management software?
A26: Yes. However, as with any large deployment, it is a good idea to
test the installation of the tool and the removal of the tool on many computers
before you extend the update to the whole corporation. You can use the
following single command to run the installer package in quiet mode and to run
the tool in silent mode:
Q27: The KB841720 critical update was not installed on my computer by Automatic Updates. Additionally, when I visit Windows Update and scan for updates, the KB841720 critical update is not available for me to install. Why?
A27: For the KB841720 critical update to be available on Windows
Update and through Automatic Updates, your computer must meet the requirements
that are described in the "Prerequisites" section.
Additionally, the KB841720 critical update will not be available to
install from Windows Update or through Automatic Updates if your computer does
not appear to be infected with the Sasser worm.