Flux rss
They need your help
LovSan - Blaster

The Sasser worm

Removal tools
Bookmark Bookmark & Share
Lo worm Sasser O verme Sasser Le ver Sasser Le ver Sasser El gusano Sasser

Introduction to the Sasser virus

Appearing in May 2004, the Sasser virus (also known as the W32/Sasser.worm, W32.Sasser.Worm, Worm.Win32.Sasser.a, Worm.Win32.Sasser.b or Win32.Sasser) is a virus which exploits a security hole in the LSASS (Local Security Authority Subsystem Service, which corresponds to the executable file lsass.exe) in Windows. The appearance of the first virus to exploit the security hole in Windows' LSASS service occurred barely two weeks after the hole was publicised and the first patches for it were released. Windows NT 4.0, 2000, XP and (to a lesser degree) Windows Server 2003 are all affected.

What the virus does

The Sasser virus is programmed to launch 128 processes (1024 for the SasserC variant) which scan a range of random IP addresses looking for systems vulnerable to the LSASS hole on port 445/TCP.

The virus installs an FTP server on port 5554 so that it can be downloaded by other infected computers.

Then, when a vulnerable machine is found, the worm opens a remote shell on the machine (on TCP port 9996), and makes the remote machine download a copy of the worm (named avserve.exe or avserve2.exe for the Sasser.B variant) in the Windows directory.

Once the file has been downloaded, it creates a file named win.log (or win2.log for the Sasser.B variant) in the c:\ directory in order to record how many machines it was able to infect. Then it creates entries in the registry so that it will restart every time the computer is rebooted: 

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
    or 
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    		   avserve.exe -> C:\%WINDIR%\avserve.exe

The virus runs "AbortSystemShutdown" to prevent the user or other viruses from rebooting (and from deactivating it).

Symptoms of infection

Exploiting the LSASS vulnerability causes some malfunctions on affected computers, related to shutting down the LSASS service (process lsass.exe). Vulnerable systems have the following symptoms:

  • Unwanted restarts, with the system displaying the message: 
    System shutdown initiated by Authority/System
    The system process: C:\WINDOWS\system32\lsass.exe
    terminated unexpectedly with status code 128.
  • Network traffic on TCP ports 445, 5554 and 9996,
  • Sudden shutdown of 'LSASS.EXE' with an error message saying: 
    lsass.exe - application error

Eradicating the virus

To eradicate the Sasser worm, the best method involves first protecting the system by activating the firewall. In Windows XP, go to 

Start menu > Settings > Control panel > Network connections
Then right-click on the Internet connection, and from there click on Properties. Select the tab "Advanced settings", then check the box "Protect my computer and the network by limiting or preventing access to this computer from the Internet," and apply it by clicking OK.

You should then update the system, either by using Windows Update or by downloading and installing whichever patch is right for your operating system:

Finally, you can clean up the system by using the virus removal kit:
Download the virus removal kit

What's more, since the virus spreads using Microsoft Windows networking, it is strongly recommended to install a personal firewall on your machines which are connected to the Internet, and also to filter ports TCP/445, TCP/5554 and TCP/9996.

More information about the virus



Last update on Thursday October 16, 2008 02:43:16 PM.This document entitled « The Sasser worm » from Kioskea (en.kioskea.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the licence, as this note appears clearly.
Blaster and Sasser: Causing continuous restart Blaster and Sasser: Causing continuous restart When your computer is infected by the viruses Sasser or Blaster, Windows displays the following error message: Generic Host Process for Win32 Services encountered a problem and needs to... en.kioskea.net/faq/sujet-1494-blaster-and-sasser-causing-continuous-restart
Conficker worm dabbling with mischief A man downloads a patch from Microsoft's web site to protect his computer from a worm virus. The Conficker worm's creators are evidently toying with ways to put the pervasive computer virus to work firing off spam or spreading rogue anti-virus... en.kioskea.net/actualites/conficker-worm-dabbling-with-mischief-12673-actualite.php3
How to remove Net-worm.win32.kido.ih Hello, There is one virus with the name of Net-worm.win32.kido.ih in our office network,therefore, approximately 35 pc's are badly effected. I try to remove it by kespersky,it delete for the time being but in few minutes detected again. now i don't... en.kioskea.net/forum/affich-88917-how-to-remove-net-worm-win32-kido-ih
How to remove the virus CONFICKER / DOWNADUP / KIDO?How to remove the virus CONFICKER / DOWNADUP / KIDO What is the Conficker? How to avoid being infected by Conficker? Disinfect a computer affected by Conficker Preliminary Remove infection What is the Conficker? Conficker (also... en.kioskea.net/faq/sujet-2035-how-to-remove-the-virus-conficker-downadup-kido
Results for The Sasser worm
Worm/autorun.inf on partitioned external hardHello, I have the worm/autorun.inf on my 4 partitioned external hard drive as well as computer. Can someone advise me how to remove it please en.kioskea.net/forum/affich-28700-worm-autorun-inf-on-partitioned-external-hard
My laptop have I-Worm/Generic.CLJHello, my laptop hav I-Worm/Generic.CLJ virus....my anti-virus AVG can't heal it...it affect my win32 oso... can u help me?? thx.. en.kioskea.net/forum/affich-65942-my-laptop-have-i-worm-generic-clj
Win32.brontoki keep getting a message from my protection program stating that i have a worm called "win32.brontok" and i cant figure out a way to get rid of it if there is some special program that can get rid of it or a process that can get rid of it i would... en.kioskea.net/forum/affich-104646-win32-brontok
Results for The Sasser worm
Download Windows Worms Doors CleanerThe most part of the firewall, particularly the most renowned, use vulnerabilities known in the services of Windows which are allowed by default and that cannot often be made disabled via the configuration of the OS.Even with these services the... en.kioskea.net/telecharger/telecharger-291-windows-worms-doors-cleaner
Download Clean Virus MSNViruses meet hereafter a bit on the net by all thinkable means everywhere. After mails , supporting they attack instantaneous freight forwarding. Clean Virus MSN is a tool which discerns automatically the viruses which circulate on MSN Messenger.... en.kioskea.net/telecharger/telecharger-992-clean-virus-msn
Download Caraq makerThe CaraQ editor allows you to model Flash animations CaraQ simple, to make avatars MSN, transfer on Caraq.com to share with your friends. The editor CaraQ it is no longer necessary to know by heart the language Flash: you can in a few clicks to... en.kioskea.net/telecharger/telecharger-1709-caraq-maker
Results for The Sasser worm
Conficker worm active, security experts sayA man surfs the Internet in Beijing. The Conficker worm, believed to have burrowed into millions of computers around the world, has sent an encrypted data message to infected machines, according to a computer security firm. The Conficker worm,... en.kioskea.net/actualites/conficker-worm-active-security-experts-say-12512-actualite.php3
Twitter fights off computer wormMicro-blogging service Twitter was targeted by a wave of attacks by a computer worm over Easter weekend, a co-founder of the Web messaging company said. Micro-blogging service Twitter was targeted by a wave of attacks by a computer worm over Easter... en.kioskea.net/actualites/twitter-fights-off-computer-worm-12525-actualite.php3
Microsoft offers reward to catch worm makerThe logo for Microsoft at their office in Herndon, Virginia. Microsoft on Thursday announced it has formed a technology industry posse and put a bounty of 250,000 dollars on the heads of those responsible for a vexing computer worm. Microsoft on... en.kioskea.net/actualites/microsoft-offers-reward-to-catch-worm-maker-12047-actualite.php3
Results for The Sasser worm
The LovSan/Blaster virusIntroduction to the LovSan virus Appearing in the summer of 2003, LovSan (also known as W32/Lovsan.worm, W32/Lovsan.worm.b, W32.Blaster.Worm, W32/Blaster-B, WORM_MSBLAST.A, MSBLASTER, Win32.Poza, Win32.Posa.Worm, and Win32.Poza.B) is the first... en.kioskea.net/contents/virus/lovsan-blaster.php3
Isass - isass.exeisass - isass.exe The process isass.exe (isass) may indicate the presence of the Sasser worm (W32.Sasser.Worm ou Win32/Sasser). How do you get rid of isass.exe? Here is a list of tips to help you disinfect your machine and learn about the... en.kioskea.net/contents/processus/isass-exe.php3
Skynetave - skynetave.exeskynetave - skynetave.exe The process skynetave.exe (skynetave.exe) may indicate the presence of the Sasser worm (W32.Sasser.Worm or Win32/Sasser). How do you get rid of skynetave.exe? Here is a list of tips to help you disinfect your machine and... en.kioskea.net/contents/processus/skynetave-exe.php3
Results for The Sasser worm