Disclaimer: This news item was originally posted on Sunday, May 2, 2004. Its content may no longer be timely or accurate.

W32.Sasser Worm Infecting Campus Computers

Posted: 19:00:00, Sunday, May 2, 2004   Expiration: 19:00:00, Wednesday, May 12, 2004  

The W32.Sasser worm is currently infecting campus computers using Windows NT, Windows 2000, and Windows XP.

Technical Background

The W32.Sasser worm is currently infecting campus computers using Windows NT, Windows 2000, and Windows XP. Users with Windows 95, 98 or ME (Millenium) are unaffected. The Sasser virus exploits a security vunerability in the affected versions; more information on this problem can be found here, at Microsoft's Security Bulletin: MS04-011 .

The virus spreads by scanning for vunerable machines (checking random IP addresses) and infecting anything it finds. Symantec currently has it classified as a Level 4 (severe) threat and has a removal tool available. More information can be found on Symantec's Sasser Page with respect to the worm's nature. In short, however, infected machines may run slowly, and will have difficulty shutting down.

Preventing Infection

Users can prevent infection by download the apprpriate security update (Update # 35732) from windows update (http://windowsupdate.microsoft.com). This is a critical update, so downloading all critical updates will ensure that the machine is properly patched. For help running windows update, click here.

Users of department computers should check with their local IT support staff before applying patches or cleaning viruses.

Windows XP users can also protect themselves for the interim by enabling XP's built-in firewall. After this is done, XP users should still download the security update. More information can be found below under "Using XP's firewall".

Removal Instructions

Once infected, the best way to remove the Sasser virus is obtain a Sasser Removal CD. To get one, stop in at the Walk-In Help Desk (1210 W. Dayton Street, behind the Techstore) with a blank CD. We will trade you a premade Sasser CD for your blank CD-R.

If this is not possible, then the virus must be removed by obtaining a copy of Symantec's removal tool, cleaning the machine, and installing the appropriate security updates.

Using XP's firewall

Windows XP users should first and foremost enable the built-in firewall in Windows XP. This will protect them from further infections. This can be done by clicking on "Start" -> "Control Panel" -> "Network and Internet Connections" -> "Network Connections". Then right-click on your internet connection ("Local Area Connection" for high speed users; "Wiscworld" or "WiscDial" for dial-up). Click the "properties" button, and click "advanced". Check the box for "Internet Connection Firewall". Then follow the rest of the instructions listed here:

Removing the virus

  1. The virus can be removed automatically by visiting Symantec's Sasser Removal Tool Page. Download the removal tool and run it to remove the virus.
  2. Afterwards, go to http://windowsupdate.microsoft.com via Internet Explorer, and download all critical updates.
  3. Lastly, run an anti-virus scan with an up-to-date virus scanner, to verify that there are no other infections.

Pre-emptive protection with Windows 2000 and NT (advanced users only)

If you are not running XP, and thus do not have access to XP's firewall, you can still protect yourself from infections by following the instructions. These instructions are fairly technical and are recommend for advanced users only.

Users have several options for disabling vunerable traffic - each of these will work to stop the worm from exploiting the LSASS vulnerability and causing LSASS instability.

  1. Create a read-only file called 'dcpromo.log' in the %systemroot%debug directory.
  2. Use TCP/IP filtering to block all un-solicited inbound TCP packets:


    1. Go to start->run and type 'control' and press enter

    2. In the new Control Panel window double click on "Network and Dialup Connections"

    3. Right click on the adapter that is connected to the Internet / infected network and select 'Properties'

    4. Double click 'Internet Protocol (TCP/IP)'

    5. Press the 'Advanced' button

    6. Select the 'Options' tab

    7. Double click 'TCP/IP filtering'

    8. Click the 'Enable TCP/IP filtering (all adapters)'checkbox

    9. Click the 'Permit Only' radio button above 'TCP Ports'

      • Do NOT add any ports to this list

      • Do NOT select the 'Permit Only' radio button above the 'UDP Ports' label.

    10. Press the 'OK' button 4 times and then select 'Yes' when prompted to reboot the system (you must reboot for these settings to take effect).

  3. Stop the server service (net stop server /y)

The steps in #1 above completely mitigates the vulnerability and is the most effective workaround to use. This will stop the attack on any port.

The steps in #2 above block all un-initiated inbound TCP traffic and may block additional attack vectors that pop-up using different ports in the future (it's sort of like ICF).

Step #3, stopping the server service will stop Sasser but may not prevent future worms / attacks which use ports not covered by the server service.

After employing any of these workarounds you can then browse to our web site and download all missing critical security updates.

After installing the updates and rebooting you should run a Sasser cleaner located here:

For the on-line ActiveX control based version of the cleaner you can run it directly from the following URL:
http://www.microsoft.com/security/incident/sasser.asp

For the stand-alone download version of the cleaner you can download it from the following URL:
Sasser.A and Sasser.B Worm Removal Tool (KB841720)

Finally - after running the Sasser cleaner you should run a full Anti-Virus scan to make sure you were not also infected with one of the many Agobot variants now circulating which can use this exploit to get on your machine."

-- DoIT Help Desk

Created: 06:57:49, Monday, May 3, 2004 (by Weizhong W.)
Updated: 11:40:57, Monday, May 3, 2004 (by Weizhong W.)