Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Sasser - Removal & Detection Tools

  • Please log in to reply
6 replies to this topic

#1 harrywaldron


    Security Reporter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:12:56 PM

Posted 02 May 2004 - 03:57 PM


While I hope no one needs this, here are several tools and techniques for removing the Sasser worm. All of these tools are excellent. I prefer the Microsoft Removal Tool instructions (listed first), which includes the MS04-011 security patch required to avoid reinfections.

Microsoft Removal Tool

McAfee Stinger

Symantec Removal Tools

F-Secure Removal Tools

Before using the tool please read the disinfection instructions from 'f-sasser.txt'.

Trend Micro Removal Tools

Microsoft - Manual Disinfection

To manually disinfect an infected system, first apply the Microsoft patch MS04-011, then use Task Manager to kill the "avserve2.exe" process, then delete the file AVSERVE2.EXE from your Windows directory and reboot.

Steps from Microsoft's site (includes test button and tools):

Manual Removal steps for Technical Users


eEye offers free scanning network tool -- As a service to the network security community, eEye has announced the availability of a free tool to scan network computers and detect if any are vulnerable to the "Sasser.A" worm currently circulating worldwide. The tool allows administrators to quickly identify vulnerable workstations that do not contain the patch required to protect from the attack, and it provides information on where to locate the patch made available from Microsoft.

Download the FREE Retina Sasser Audit Tool here:

This free tool from Foundstone identifies workstations with unpatched MS04-011 LSASS vulnerabilities.

Foundstone DSSCAN tool

Edited by harrywaldron, 02 May 2004 - 03:58 PM.

BC AdBot (Login to Remove)



#2 JEservices


    helping hand

  • Members
  • 1,700 posts
  • Location:Texas
  • Local time:10:56 AM

Posted 02 May 2004 - 04:01 PM

Thank you for the warning. It seems like it is spreading quickly, as I have seen them talking about it on the news.

Well done!
We are all curious like a cat. We wonder, we ask, we learn.
Please post back when a suggestion works, so that others may learn.

#3 harrywaldron


    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:12:56 PM

Posted 05 May 2004 - 08:49 AM

Microsoft is hosting the Sasser cleanup tool on Windows Update.

Over 1.5 MILLION users cleaned by WU alone according this article:


Some numbers about Sasser:

* According Microsoft, 1.5 million users downloaded the cleanup tool via Windows Update.

* The Internet Storm Center numbers are close to Microsoft:

- 500k on May 1st
- 700k on May 2nd

Edited by harrywaldron, 05 May 2004 - 08:49 AM.

#4 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,528 posts
  • Gender:Male
  • Local time:11:56 AM

Posted 06 May 2004 - 10:54 AM

Kaspersky Labs has just added a removal tool:

Kaspersky Labs, a leading information security software developer, now has a free utility to remove the network worm Sasser.
(http://www.viruslist.com/eng/alert.html?id=1437429) The utility can be
downloaded from ftp://ftp.kaspersky.com/utils/clrav/.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson

#5 dudeman


  • Members
  • 38 posts
  • Location:TX
  • Local time:11:56 AM

Posted 07 May 2004 - 03:38 PM

My project is US military wide and we didn't have a clue what was happening for about an hour. Every single military site we have a box at got hit all at the same time. it was weird. :flowers: blaster wasn't even that bad. it got cleaned off a lot faster and easier than the blaster worm and the welcia. We are all good now. :thumbsup:

Edited by dudeman, 07 May 2004 - 03:38 PM.

#6 Guest_Plimsol_*


  • Guests

Posted 07 May 2004 - 04:23 PM

Yeah I found getting rid of sasser extremely easy and painless.

End the process, attrib -r , and delete.

#7 Grinler


    Lawrence Abrams

  • Admin
  • 43,432 posts
  • Gender:Male
  • Location:USA

Posted 07 May 2004 - 04:25 PM

Same here. Wasnt too bad.

What I have found though, are a lot of clients getting hacked to bits with the lsass exploit. Just yesterday I cleaned up a client that had been hacked...and the hacker was running an autohacker for the lsass exploit. His scan file showed 750 vulnerable systems.

Needless to say, my client got a good kick in the butt for not updating.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users