Proactive IT Security
 

Information about the Sasser worms

[Malware discussion, Protection projects, Spreading mechanisms]

Question

How can I check if my computer is infected with one of the Sasser worms?

Answer

  1. If you do not have an antivirus program, you should install the latest version of Norman Virus Control 
  2. Make sure that your antivirus program is completely updated. In Norman Virus Control, click the N-icon, choose About. The signature date for binary viruses should be 2004/05/03 or newer. 
  3. Run a full virus scan by clicking the N-icon, and choose Scan harddisks.
    Alternatively to the items above you may download and run Norman Malware Cleaner.

Question

How do I remove the Sasser worms from my system?

Answer

Download and run Norman Malware Cleaner by clicking this link.
Note! This fix will remove the worm from your system. It will however not prevent your system from being reinfected. Install an updated antivirus program and the Microsoft MS04-011 (LSASS) patch to prevent reinfection.

Question

I have successfully cleaned the virus from my system, and I am running an up-to-date antivirus program. However, when connecting to the Internet, my PC will shut down after a few minutes. I get the message

This system is shutting down. Please save all work in progress and log off

or

LSA Shell(Export version) has encountered a problem and needs to close.

Why does this happen?

Answer

Sasser uses the LSASS vulnerability to infect systems. Your antivirus system will prevent the worm from infecting your system, but it will not prevent it from trying to infect it. When the worm tries to infect your system it will often cause your system to shut down with one of the above-mentioned messages. To prevent this from happening you must install the Microsoft MS04-011 (LSASS) patch.

Question

My system is shutting down whenever I connect to the Internet due to the Sasser worm trying to infect it. I am unable to download the Microsoft MS04-011 (LSASS) patch from Microsoft before my system shuts down. How can I prevent my system form shutting down?

Answer

If you are running Windows XP you can issue the command Shutdown -a. Click Start | Run and enter the command. You can also delay the shutdown by turning the clock one hour back. You have to turn the clock back when the shutdown message appears. This is especially useful on the NT/2000 platforms where the shutdown command is not available.

Question

What is the Microsoft MS04-011 (LSASS) vulnerability?

Answer

Please visit Microsoft’s web site for an in-depth description here.