BleepingComputer.com: Sasser - Removal & Detection Tools

SASSER REMOVAL TOOLS

While I hope no one needs this, here are several tools and techniques for removing the Sasser worm. All of these tools are excellent. I prefer the Microsoft Removal Tool instructions (listed first), which includes the MS04-011 security patch required to avoid reinfections.


Microsoft Removal Tool
http://support.microsoft.com/?kbid=841720


McAfee Stinger
http://vil.nai.com/vil/stinger/


Symantec Removal Tools
http://www.symantec.com/avcenter/venc/data...moval.tool.html


F-Secure Removal Tools
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.txt

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.


Trend Micro Removal Tools
http://www.trendmicro.com/download/dcs.asp



Microsoft - Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot.

Steps from Microsoft's site (includes test button and tools):
http://www.microsoft.com/security/incident/sasser.asp

Manual Removal steps for Technical Users
http://www.microsoft.com/technet/Security/alerts/sasser.mspx


NETWORK LSASS SCANNING TOOLS

eEye offers free scanning network tool -- As a service to the network security community, eEye has announced the availability of a free tool to scan network computers and detect if any are vulnerable to the "Sasser.A" worm currently circulating worldwide. The tool allows administrators to quickly identify vulnerable workstations that do not contain the patch required to protect from the attack, and it provides information on where to locate the patch made available from Microsoft.

Download the FREE Retina Sasser Audit Tool here:
http://www.eeye.com/html/Research/Tools/Do...le=RetinaSasser


This free tool from Foundstone identifies workstations with unpatched MS04-011 LSASS vulnerabilities.

Foundstone DSSCAN tool
http://www.foundstone.com/resources/proddesc/dsscan.htm

This post has been edited by harrywaldron: 02 May 2004 - 03:58 PM

Thank you for the warning. It seems like it is spreading quickly, as I have seen them talking about it on the news.

Well done!

Microsoft is hosting the Sasser cleanup tool on Windows Update.

Over 1.5 MILLION users cleaned by WU alone according this article:

http://www.incidents.org/diary.php?date=2004-05-04

Quote

This post has been edited by harrywaldron: 05 May 2004 - 08:49 AM

Kaspersky Labs has just added a removal tool:

Quote

My project is US military wide and we didn't have a clue what was happening for about an hour. Every single military site we have a box at got hit all at the same time. it was weird. blaster wasn't even that bad. it got cleaned off a lot faster and easier than the blaster worm and the welcia. We are all good now.

This post has been edited by dudeman: 07 May 2004 - 03:38 PM

Yeah I found getting rid of sasser extremely easy and painless.

End the process, attrib -r , and delete.

Same here. Wasnt too bad.

What I have found though, are a lot of clients getting hacked to bits with the lsass exploit. Just yesterday I cleaned up a client that had been hacked...and the hacker was running an autohacker for the lsass exploit. His scan file showed 750 vulnerable systems.

Needless to say, my client got a good kick in the butt for not updating.