SASSER REMOVAL TOOLS
While I hope no one needs this, here are several tools and techniques for removing the Sasser worm. All of these tools are excellent. I prefer the Microsoft Removal Tool instructions (listed first), which includes the MS04-011 security patch required to avoid reinfections.
Microsoft Removal Tool
http://support.microsoft.com/?kbid=841720
McAfee Stinger
http://vil.nai.com/vil/stinger/
Symantec Removal Tools
http://www.symantec.com/avcenter/venc/data...moval.tool.html
F-Secure Removal Tools
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt
Before using the tool please read the disinfection instructions from 'f-sasser.txt'.
Trend Micro Removal Tools
http://www.trendmicro.com/download/dcs.asp
Microsoft - Manual Disinfection
To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot.
Steps from Microsoft's site (includes test button and tools):
http://www.microsoft.com/security/incident/sasser.asp
Manual Removal steps for Technical Users
http://www.microsoft.com/technet/Security/alerts/sasser.mspx
NETWORK LSASS SCANNING TOOLS
eEye offers free scanning network tool -- As a service to the network security community, eEye has announced the availability of a free tool to scan network computers and detect if any are vulnerable to the "Sasser.A" worm currently circulating worldwide. The tool allows administrators to quickly identify vulnerable workstations that do not contain the patch required to protect from the attack, and it provides information on where to locate the patch made available from Microsoft.
Download the FREE Retina Sasser Audit Tool here:
http://www.eeye.com/html/Research/Tools/Do...le=RetinaSasser
This free tool from Foundstone identifies workstations with unpatched MS04-011 LSASS vulnerabilities.
Foundstone DSSCAN tool
http://www.foundstone.com/resources/proddesc/dsscan.htm
Full Version: Sasser - Removal & Detection Tools
Thank you for the warning. It seems like it is spreading quickly, as I have seen them talking about it on the news.
Well done!
Well done!
Microsoft is hosting the Sasser cleanup tool on Windows Update.
Over 1.5 MILLION users cleaned by WU alone according this article:
http://www.incidents.org/diary.php?date=2004-05-04
Over 1.5 MILLION users cleaned by WU alone according this article:
http://www.incidents.org/diary.php?date=2004-05-04
QUOTE
Some numbers about Sasser:
* According Microsoft, 1.5 million users downloaded the cleanup tool via Windows Update.
* The Internet Storm Center numbers are close to Microsoft:
- 500k on May 1st
- 700k on May 2nd
* According Microsoft, 1.5 million users downloaded the cleanup tool via Windows Update.
* The Internet Storm Center numbers are close to Microsoft:
- 500k on May 1st
- 700k on May 2nd
Kaspersky Labs has just added a removal tool:
QUOTE
Kaspersky Labs, a leading information security software developer, now has a free utility to remove the network worm Sasser.
(http://www.viruslist.com/eng/alert.html?id=1437429) The utility can be
downloaded from ftp://ftp.kaspersky.com/utils/clrav/.
(ftp://ftp.kaspersky.com/utils/clrav/)
(http://www.viruslist.com/eng/alert.html?id=1437429) The utility can be
downloaded from ftp://ftp.kaspersky.com/utils/clrav/.
(ftp://ftp.kaspersky.com/utils/clrav/)
My project is US military wide and we didn't have a clue what was happening for about an hour. Every single military site we have a box at got hit all at the same time. it was weird. 
blaster wasn't even that bad. it got cleaned off a lot faster and easier than the blaster worm and the welcia. We are all good now. 
blaster wasn't even that bad. it got cleaned off a lot faster and easier than the blaster worm and the welcia. We are all good now.
Yeah I found getting rid of sasser extremely easy and painless.
End the process, attrib -r , and delete.
End the process, attrib -r , and delete.
Same here. Wasnt too bad.
What I have found though, are a lot of clients getting hacked to bits with the lsass exploit. Just yesterday I cleaned up a client that had been hacked...and the hacker was running an autohacker for the lsass exploit. His scan file showed 750 vulnerable systems.
Needless to say, my client got a good kick in the butt for not updating.
What I have found though, are a lot of clients getting hacked to bits with the lsass exploit. Just yesterday I cleaned up a client that had been hacked...and the hacker was running an autohacker for the lsass exploit. His scan file showed 750 vulnerable systems.
Needless to say, my client got a good kick in the butt for not updating.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.