Sasser Worm

This security advisory applies only to Windows XP, 2000, and NT 4.0. Users with other systems can disregard this notice.

There has been a recent security vulnerability discovered in Windows XP, Windows 2000, and Windows NT 4.0 that allows a remote computer to take control of a computer running one of these operating systems. Since Saturday a worm called Sasser takes advantage of this vulnerability has been rapidly spreading throughout the Internet. It often causes computers to shut down while on the Internet with an error mentioning NT Authority and LSASS or LSA Shell.

The following details the procedure for removing the Sasser worm from your computer.

1. Terminate the Worm process

Open the Windows Task Manager by pressing Ctrl+Shift+Esc (i.e., hold down both the Ctrl and Shift keys on the keyboard, then press the Esc key once, then release Ctrl and Shift). In the Task Manager, click on the Processes tab at the top. Look in the list of processes for one named avserve or avserv2. Click once on this to select it, then press the End Process button. Then press Yes to end the process. If you do not see either of these in the process list, your computer is probably not infected.

Note that this has only deactivated the worm — your computer is still infected.

2. Remove the worm from your computer

If you have a virus scanner, connect to the Internet and use to download the latest virus database, and then to scan and clean your computer. The exact steps for this depend on the software.

If you do not have a virus scanner, search your hard drive for a file named lsass.exe. This file will appear more than once, delete any instance of the file that has additional characters after the .exe extension.

3. Install Windows patch 835732

Go to Microsoft web site and download patch 835732. Run the downloaded file to install the patch, then reboot your computer.