 |
|
W32.Sasser.Worm and Variants Prevention and Removal
W32.Sasser Backround and Prevention
Steps to Remove W32.Sasser and Variants
W32.Sasser Backround and Prevention
These viruses take advantage of a flaw in the LSASS.EXE file within Windows® XP and 2000. Microsoft® released a patch for this file on 4/13/04 to remove the flaw. If you downloaded and installed this patch from Microsoft you should have been safe from attack from these viruses.
Some of the symptoms of the W32.Sasser.Worm and variants include:
- Difficulties when shutting down or restarting your computer.
- Your computer is runs very slowly.
- Your computer may crash and display the following message:
- After restarting the computer the following messages is displayed:
Additional information about the flaw in the LSASS.EXE file may be found in Microsoft Security Bulletin MS04-011. Additional information about the W32.Sasser worm can be found on Symantec's Web site.
To protect your computer, Gateway recommends to all of our customers that you check for updates to Windows on a weekly basis. Go to http://windowsupdate.microsoft.com and scan for updates. Gateway also recommends that you check for updates to your anti-virus software.
Steps to Remove W32.Sasser and Variants
To remove the W32.Sasser.Worm and variants, perform each of these four steps as outlined.
Note: If you have performed the steps outlined on our phone message, please start with Step #3.
Step #1: Enabling the Internet Connection Firewall
- Restart your computer.
- With the Microsoft Windows operating system started, from the Start menu, click Run.
- In the Run dialog box, type: ncpa.cpl, and then click OK.
View Picture
- In the Network Connections window there will be multiple items available. Enable the Windows Internet Connection Firewall on all of these items.
View Picture
Note: The icons on your screen may differ from those in this graphic.
- Place your mouse cursor over the first icon, right-click on the icon, and from the list, click Properties.
View Picture
- In the Properties dialog box, click the Advanced tab.
View Picture
- On the Advanced tab, place a check mark in the box Protect my computer and network by limiting or preventing access to this computer from the internet, and then click OK.
View Picture
- Repeat Steps 5 through 8 on all the icons in the Network Connections window.
- When all of the steps have been completed for all icons within the Network Connections window, a small lock symbol is visible next to each of the icons.
View Picture
- Close the Network Connections window.
Step #2: Disabling the Virus from Loading
- From the Start menu, click Run.
- In the Run dialog box, type: Msconfig and then click OK.
View Picture
- In the System Configuration Utility dialog box, click the Startup tab.
View Picture
- On the Startup tab, in the Startup Item column, scroll down through the entire list and look for AVSERVE, AVSERVE2, SKYNETAVE, LSASSS, or NAPATCH.
View Picture
- If AVSERVE, AVSERVE2, SKYNETAVE, LSASSS, or NAPATCH are located, click to clear the check mark from the boxes.
Note: If you cannot locate AVSERVE, AVSERVE2, SKYNETAVE, LSASSS, or NAPATCH on the Startup tab, it is likely that you do not have the W32.Sasser.Worm.
- Click OK to make the changes.
- In the System Configuration dialog box, click Restart.
View Picture
- When the computer restarts, a dialog box opens notifying you that settings have changed. This is due to the virus being disabled. Place a check mark in the box Don't show this message or launch the System Configuration Utility when Windows starts, and then click OK.
Step #3: Downloading the Microsoft MS04-011 Update
- Connect to the Internet and go to: http://download.microsoft.com/download/6/1/5/615a50e9-a508-4d67-b53c-3a43455761bf/WindowsXP-KB835732-x86-ENU.EXE
- In the File Download dialog box, click Open to download the patch from Microsoft. The file is 148 KB in size. Depending on your Internet connection this can take a few minutes.
View Picture
- In the Welcome dialog box of the Windows XP KB835732 Setup Wizard, to start the installation, click Next.
View Picture
- In the License Agreement dialog box of the Windows XP KB835732 Setup Wizard, read the license agreement, click to select I Agree, and then click Next.
View Picture
- In the final dialog box of the Windows XP KB835732 Setup Wizard, click Finish.
View Picture
- You have successfully installed the patch to prevent future infection from this virus. Restart the computer.
Step #4: Downloading the Symantec Sasser Removal Tool
- To clean up any left over pieces of the virus on your computer, download a removal tool provided by Symantec at: http://securityresponse.symantec.com/avcenter/FxSasser.exe
- In the File Download dialog box, click Open.
View Picture
- In the Symantec W32.Sasser.Worm Fix Tool 1.0.1 dialog box, click Start.
View Picture
- The program scans your computer for the virus and if found, removes it.
View Picture
Note: The scan can take awhile since it does check your entire hard drive for the virus. Please be patient.
- When the scan is complete, the tool notifies you if the virus was located and deleted, or was not found on the computer.
- If found, the virus is removed. The computer should now be clear of the W32.Sasser worm variants and also be safe from attack from future worms exploiting the flaw in the LSASS.EXE file.
- To protect your computer, Gateway recommends to all of our customers that you check for updates to Windows on a weekly basis. Go to http://windowsupdate.microsoft.com and scan for updates. Gateway also recommends that you check for updates to your anti-virus software.
|
|
|
Gateway.com |
Support Help |
My Support
