NYU Information Technology Services

 

HOW TO REMOVE THE SASSER WORM & PREVENT
RE-INFECTION OF YOUR WINDOWS XP OR 2000 COMPUTER


OVERVIEW

The following outlines the major steps of the procedure. It is important that you follow all steps. Detailed instructions are in the next section.
  1. Prepare to execute removal & prevention steps.
  2. Patch the Windows vulnerability on your computer.
  3. Remove the Sasser worm from your computer.
  4. Restart and immediately update Windows and anti-virus programs.
  5. Take important steps to help prevent future infection.
Discliamer: These instructions and tools, culled from authoritative sources on the Internet, were prepared for ITS in-house use and are provided here, on an as-is basis, for the convenience of the NYU community. As such, ITS cannot guarantee that these tools are the most current and is not responsible for any damage that might result from their use. (5/3/04, 4:00 PM)

DETAILED PROCEDURE

1. Prepare to Execute Removal & Prevention Steps.

  1. Disconnect your computer from the network by unplugging the network cable from your computer.
  2. Enable firewall.
    • Windows XP: Go to Start-> Control Panel-> (or Start-> Settings-> Control Panel). Click Network Connections-> Local Area Connection.
      • On the General tab, click Properties, and disable File and Printer Sharing for Microsoft Networks (click to clear the checkbox to the left of it).
      • On the Advanced tab, click to enable the Internet Connection Firewall. In addition, on Windows XP Home Edition, disable Internet Connection Sharing.
      • Click OK.
    • Windows 2000 does not come with a built-in firewall. If you have a third-party firewall, make sure it is enabled and configured to block all ports.
  3. Windows XP users only: Disable System Restore.
    • Right-click on My Computer, select Properties.
    • On the System Restore tab, click "Turn off System Restore".
    • Click OK.
  4. Restart your computer in Safe Mode with Networking.
    • To do this, restart your computer, and while it is restarting, press F8 repeatedly before the Windows startup screen appears, until a menu is displayed with the option "Safe Mode with Networking".
    • Select "Safe Mode with Networking" then press Enter twice.
  5. Reconnect your computer to the network by plugging the network cable into your computer.

2. Patch the Windows Vulnerability on Your Computer.

Download and run patch MS04-011 from the Microsoft web site:

  • Open Internet Explorer or Netscape.
  • Open the web address http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
    • In the Affected Software section, find your computer's operating system, Windows XP (select appropriate version) or Windows 2000, and click Download the update.
      • Right-click "My Computer" if you do not know which version of Windows XP your computer is running.
    • Click the Download button and then click Open to download and install the KBB835732 update file for your operating system.
      Alternatively, you can go to www.google.com and search for "KB835732 XP" or "KB835732 2000" (depending on your operating system), and click on the top link to download this patch from Microsoft's web site.

3. Remove Sasser from Your Computer.

  1. Download and run the SASSER removal tool from the F-Secure web site:
    • Open Internet Explorer or Netscape.
    • Open the web address http://www.f-secure.com/v-descs/sasser.shtml
    • In the Disinfection section, click ftp://ftp.f-secure.com/anti-virus/tools/f-sasser.exe to download f-sasser.exe.
    • Run f-sasser.exe on your computer (double-click the f-sasser.exe icon).
  2. Download and run the Stinger tool from the Network Associates web site.
    • Open Internet Explorer or Netscape.
    • Open the web address http://vil.nai.com/vil/stinger/
    • Click on Download Stinger.exe to download the Stinger tool and save it on your computer.
    • Run stinger.exe on your computer (double-click the stinger.exe icon).

4. Restart and Immediately Update Windows and AntiVirus Programs.

  1. Restart your computer in Normal Mode.
  2. Windows XP users: Enable System Restore.
    • Right-click My Computer, select Properties.
    • On the System Restore tab, click Turn off System Restore to clear the checkbox to the left of it.
    • Click OK.
  3. Run Windows Update.
    • Open Internet Explorer. From the Tools menu, select Windows Update.
    • Click Scan for Updates.
    • Download and install all Critical Updates.
  4. Update your anti-virus protection. For example, open Symantec (or Norton) AntiVirus and run LiveUpdate to download the latest anti-virus updates.

5. Take Important Steps to Help Prevent Future Infection.

  1. Schedule Windows Updates to run automatically (and at least daily).
    • Windows XP: Enable Automatic Updates.
      • Right-click My Computer, select Properties.
      • On the Automatic Updates tab:
        • Click Keep My Computer up to date.
        • Under Settings, select the setting that best suits your preference. We recommend "Download the updates automatically and notify me when they are ready to be installed".
      • Click OK.
    • Windows 2000: Schedule Windows Update to run automatically.
      • Open the Task Scheduler. Click Start-> Programs-> Accessories-> System Tools-> Scheduled Tasks.
      • Read the informative message, then click Next.
      • From the list of programs, select Windows Update, then click Next.
      • Select the frequency of this task: we recommend that you select "Daily". Click Next.
      • Select the time of the day to run Windows Update, and the date to start. Click Next. Please note that your computer must be on and connected to the Internet at the time that this task is set to run. If not, you can always run Windows Update manually (see manual Windows update instructions above).
      • Enter an Administrator username and password. In order to save this scheduled task, you must have administrator privileges on this computer.
      • Click Finish.
  2. In Symantec AntiVirus, schedule daily checks for anti-virus updates.
    • Open Symantec AntiVirus: click Start -> Programs and then select Symantec (or Norton) Antivirus.
    • In the File menu, click Schedule Updates.
    • Under Automatic Updates, select Enable scheduled automatic updates (click to check the box to the left of it).
    • Click the Schedule button. Select Daily, at an hour of your preference.
      • Please note that your computer must be on and connected to the Internet at the time that this task is set to run. If not, you can always run LiveUpdate manually (see manual LiveUpdate instructions above).

Related Links

Go to ITS Security Page >>
View current NYU Security Alerts >>
Go to ITS Security FAQs >>


Please note: these instructions are provided here for the convenience of the NYU community. New York University is not responsible for any damage that might result from following these instructions.

Page last reviewed: May 3, 2004

The original version of this page is available at http://www.nyu.edu/its/security/virus/sasser.html.