Use the specified DAT files
for detection and removal.
Infected systems should install the Microsoft update to be protected from the exploit used by this worm. See:
If the system reboots before you are able to download and install the patch, the shutdown utility can abort a shutdown that is in progress (counting down). This utility is part of Windows XP.
- Click START, RUN
- Type SHUTDOWN -A and hit ENTER
Additional Windows ME/XP removal considerations
has been updated to assist in detecting and repairing this threat.
Manual Removal Instructions
To remove this virus "by hand", follow these steps:
- Reboot the system into Safe Mode (hit the F8
key as soon as the Starting Windows text is displayed, choose Safe Mode.
- Delete the file AVSERVE.EXE
from your WINDOWS directory (typically c:\windows or c:\winnt)
- Edit the registry
- Delete the "avserve" value from
- Reboot the system into Default Mode
Filters have been developed that will look for Sasser traffic [Sniffer Distributed 4.1/4.2/4.3, Sniffer Portable 4.7/4.7.5, and Netasyst].
This worm is detected in all Intrushield signauture sets 184.108.40.206, 220.127.116.11, 18.104.22.168 and later. In the IntruShield Alert Viewer, you would see the following alert when Sasser worm propagation is detected:
- DCERPC: Microsoft Windows LSASS Buffer Overflow (0x47601c00)
Customers with in-line deployment should configure the sensor response of the above signature action to block in the policies.
McAfee System Compliance Profiler
Create a rule to match a registry key
- Select HKEY_LOCAL_MACHINE from the drop-down box
- In the field after the drop-down box, enter in the path Software\Microsoft\Windows\CurrentVersion\Run
- For Value name, enter avserve.exe
- In the next drop-down box, select "Registry value does not exist"
McAfee Desktop Firewall
To prevent possibly remote access McAfee Desktop Firewall users can block incoming TCP port(s) 5554, 9996
ThreatScan signatures that can detect the W32/Sasser.worm.a
virus are available from:
ThreatScan Signature version: 2004-05-03
ThreatScan users can detect the virus by running a ThreatScan task using the following settings:
- Select the "Remote Infection Detection" category and "Windows Virus Checks" template.
- Select the "Other" category and "Scan All Vulnerabilities" template.
For additional information:
- Run the "ThreatScan Template Report"
- Look for module number #4073
ThreatScan users can detect the remote access component by running a Resource Discovery Task using the following settings:
- Select TCP Port scan
- Enter ports 5554,9996