A tool is available to remove the Sasser worm variants (841720)


The information in this article applies to:

  • Microsoft Windows XP Home Edition SP1
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4

Notice

This tool is no longer available. It has been replaced by the Microsoft Windows Malicious Software Removal Tool. For additional information about the Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:

890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000

SUMMARY

Microsoft has released a tool to help you remove the Sasser worm variants from your computer. If you are running Microsoft Windows 2000 Service Pack 2 (SP2) or later or a 32-bit version of Microsoft Windows XP, the Windows Update Web site and Automatic Updates will offer you version 2.0 of the Microsoft Sasser Worm Removal Tool to remove Sasser.A, Sasser.B, Sasser.C, and Sasser.D infections.

Version 4.0 of the Sasser Worm Removal Tool includes support for removing the Sasser.A, Sasser.B, Sasser.C, Sasser.D, and Sasser.E variants of the worm and adds support for removing the Sasser.F variant of the worm. Version 4.0 is available from the Microsoft Download Center.

Technical updates
  • February 8, 2005: Microsoft replaced this tool with the Microsoft Windows Malicious Software Removal Tool. For additional information about the Malicious Software Removal Tool, click the following article number to view the article in the Microsoft Knowledge Base:

    890830 The Microsoft Windows Malicious Software Removal Tool helps remove specific, prevalent malicious software from computers that are running Windows Server 2003, Windows XP, or Windows 2000

  • May 11, 2004: Microsoft released version 4.0 of the Sasser Worm Removal Tool to the Microsoft Download Center. Version 4.0 adds support for detecting and for removing the Sasser.F variant of the worm.
  • May 09, 2004: Microsoft released version 3.0 of the Sasser Worm Removal Tool to the Microsoft Download Center. Version 3.0 adds support for detecting and for removing the Sasser.E variant of the worm.
  • May 04, 2004: Microsoft released version 2.0 of the Sasser Worm Removal Tool to the Microsoft Download Center and to the Windows Update Web site. Version 2.0 adds support for detecting and for removing the Sasser.C variant of the worm and the Sasser.D variant of the worm.
  • May 01, 2004: Microsoft released version 1.0 of the Sasser Worm Removal Tool to the Microsoft Download Center. Version 1.0 detects and removes the Sasser.A worm and the Sasser.B worm.

SYMPTOMS

After you install the 835732 (MS04-011) security update on a computer that is already infected with the Sasser worm, the computer may continue to generate network traffic on the affected Transmission Control Protocol (TCP) ports to try to spread the worm infection to other vulnerable computers. If your computer is infected with the Sasser worm, you may experience one or more of the following symptoms:
  • Your computer performance is decreased or your network connection is slow.
  • You may see a dialog box that contains text that refers to LSA Shell.
  • Your computer may restart every few minutes without user input.
It is also possible that you will not notice any symptoms of infection. For example, the second and third symptoms may not occur on infected computers that have the 835732 security update installed, although the computer is still infected and is still spreading the worm to other computers.

For more information about the 835732 security update, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Note Local Security Authority Subsystem Service (LSASS) provides an interface for managing local security, domain authentication, and Active Directory processes. LSASS handles authentication for the client and for the server. It also contains features that are used to support Active Directory utilities.

CAUSE

This behavior occurs because your computer is infected with the Sasser worm. Together with using a firewall and installing the 835732 security update, you must also remove the Sasser worm from any infected computers. A firewall and the 835732 security update prevent the Sasser worm from infecting your computer. However, you must also take steps to remove any infection that existed before you implemented these preventive measures.

For more information about how to determine whether your computer is infected with the Sasser worm, visit the following Microsoft Web sites:

RESOLUTION

Microsoft has released a tool to remove the Sasser worm variants from computers that are running one or more of the products that are listed in the "Applies to" section.

Important Microsoft also recommends that you use an Internet firewall and a current antivirus program, and that you keep both Windows and your programs up-to-date.

For additional information about how to prevent viruses, and about how to recover from virus infections, click the following article number to view the article in the Microsoft Knowledge Base:

129972 Computer viruses: description, prevention, and recovery

Download and setup information

If your computer is infected with any one of the A-D variants of the Sasser worm, use Automatic Updates to download and install the Sasser Worm Removal Tool, or visit the following Windows Update Web site and install the KB841720 critical update.

http://windowsupdate.microsoft.com/

Release Date: May 4, 2004

For additional information about Automatic Updates, click the following article number to view the article in the Microsoft Knowledge Base:

294871 Description of the Automatic Updates feature in Windows

To deploy this update, IT administrators can use Microsoft Software Update Services (SUS). For more information about SUS, visit the following Microsoft Web site:

http://www.microsoft.com/windowsserversystem/sus/susoverview.mspx

Notes
  • The Sasser Worm Removal Tool does not work on computers that are running Microsoft Windows NT 4.0, Windows 95, Windows 98, Windows 98 Second Edition, Windows Millennium Edition, or any 64-bit versions of Windows.
  • The Sasser Worm Removal Tool is only available for English (US) versions of Windows. However, you can run the English (US) tool on any language version of Windows.
  • Many antivirus companies have also written tools to remove the Sasser worm. Most up-to-date antivirus programs will also remove this worm.

Release information

Sasser Worm Removal Tool

Tool versionSasscln.exe versionWorms removedOperating systems supportedInstaller file nameDistribution locations (date)
1.01.0.150.0Sasser.A, Sasser.BWindows XP, Windows 2000Windows-KB841720-ENU.exeMicrosoft Download Center (May 1, 2004)
2.01.0.152.0Sasser.A, Sasser.B, Sasser.C, Sasser.DWindows XP, Windows 2000Windows-KB841720-ENU-V2.exeMicrosoft Download Center (May 4, 2004), Windows Update
3.01.0.156.0Sasser.A, Sasser.B, Sasser.C, Sasser.D, Sasser.EWindows XP, Windows 2000Windows-KB841720-ENU-V3.exeMicrosoft Download Center (May 9, 2004)
4.01.0.159.0Sasser.A, Sasser.B, Sasser.C, Sasser.D, Sasser.E, Sasser.FWindows XP, Windows 2000Windows-KB841720-ENU-V4.exeMicrosoft Download Center (May 11, 2004)

Sasser worm variants

Worm (date discovered)Versions of the tool that remove this worm
Sasser.A (April 30, 2004)1.0, 2.0, 3.0, 4.0
Sasser.B (May 1, 2004)1.0, 2.0, 3.0, 4.0
Sasser.C (May 1, 2004)2.0, 3.0, 4.0
Sasser.D (May 2, 2004)2.0, 3.0, 4.0
Sasser.E (May 8, 2004)3.0, 4.0
Sasser.F (May 11, 2004)4.0

Prerequisites

The Sasser Worm Removal Tool has the following prerequisites:
  • Your computer must be running Microsoft Windows 2000 SP2 or later or a 32-bit version of Windows XP.
  • You must log on as a computer administrator or as a member of the Administrators group.
For additional information about how to determine whether a computer is running a 32-bit version of Windows XP or a 64-bit version of Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:

827218 How to determine whether your computer is running a 32-bit version or 64-bit version of Windows XP

If these prerequisites are not met, the installation will not work, and you will receive an error message. For more information about the error message, view the following log file:

%Windir%\debug\sasscln.log

Additionally, it is a good idea to install the 835732 (MS04-011) security update before you run the Sasser Worm Removal Tool. Although version 4.0 of the removal tool will remove the worm from infected computers, it will not prevent re-infection if your computer is still vulnerable. By installing the 835732 security update before you run the removal tool, you can help prevent re-infection by the worm.

Restart requirement

You do not have to restart your computer after you install this tool.

Usage information

Note Before you follow these steps, make sure that you have backed up all your important data.

When you install the Sasser Worm Removal Tool version 4.0 and accept the end-user license agreement (EULA), the installation package extracts the Sasscln.exe file to a temporary directory, and then the removal tool runs. The removal tool checks your computer for the prerequisites that are listed in the "Prerequisites" section. If the prerequisites are met, the removal tool does the following:
  1. Searches in memory for evidence of the Sasser.A worm (Avserve.exe), the Sasser.B worm and the Sasser.C worm (Avserve2.exe), the Sasser.D worm (Skynetave.exe), the Sasser.E worm (Lsasss.exe), the Sasser.F worm (Napatch.exe). If the removal tool finds an infection, the worm process is ended.
  2. Searches for known Sasser A through F executable files on the hard disk and for Sasser-related entries in the Run keys in the registry. If the removal tool finds worm executable files on the hard disk, the removal tool deletes the files and removes the registry entries. Other tools may delete the worm files on the hard disk without deleting the registry values.

    If a Sasser registry value no longer points to a file on the hard disk, the removal tool does not remove the "orphaned" registry value because the registry value will not cause any damage if the associated file does not exist on the hard disk.
  3. Displays a Windows message box that describes the outcome of the detection and removal process. The following list contains the messages that you may receive and what these messages mean to you:
    • "No infection detected" - The Sasser worm was not detected on this computer.
    • "Successfully removed Worm_Name" - Worm_Name was removed. No additional action is required.

      Note Worm_Name is a placeholder for one of the Sasser variants (A, B, C, D, E, or F).
    • "This tool must be run by an administrator"
    • "Fatal error, please review log file"
    • "Worm_Name was detected, but could not be removed" - Try to run the tool again and check the log file for errors.
    • "This tool requires Windows 2000 or Windows XP" - This tool is not supported on versions of Windows other than Windows 2000 and Windows XP.
    • "Incorrect Windows version (Win32s)" - This tool is not supported on Windows 3.1 with Win32s.
    Additionally, you will receive the following message if the tool determines that the 835732 (MS04-011) security update is not installed on your computer:
    • "To prevent infection, please visit Windows Update (www.windowsupdate.com) and install KB835732" - You must install this update to prevent re-infection by the Sasser worm.
    When you close the message box, the removal tool quits, and the Sasscln.exe file is deleted from the temporary folder. You can now delete the Windows-KB841720-ENU-V4.exe file manually.
  4. The removal tool creates a log file that is named Sasscln.log in the %Windir%\Debug folder. You can view this log file to determine if Sasser infections were detected and were removed.

Command-line switches

The removal tool installer supports the following command-line switches:
  • /Q - Use quiet mode or suppress messages when the files are being extracted.
  • /Q:U - Use user-quiet mode. User-quiet mode presents some dialog boxes to the user.
  • /Q:A - Use administrator-quiet mode. Administrator-quiet mode does not present any dialog boxes to the user.
  • /T: path - Specify the location of the temporary folder that is used by the Setup process or specify the target folder for extracting files (when used together with the /C switch).
  • /C - Extract the files without installing them. If /T: path is not specified, you are prompted to specify a target folder.
  • /C: cmd - Specify the path and the name of an alternate Setup .inf file or an .exe file to use to install the tool.
  • /R:N - Never restart the computer after installation.
  • /R:I - Prompt the user to restart the computer if a restart is required, except when this switch is used with the /Q:A switch.
  • /R:A - Always restart the computer after installation.
  • /R:S - Restart the computer after installation without prompting the user
For additional information about the supported installation switches, click the following article number to view the article in the Microsoft Knowledge Base:

197147 Command-line switches for IExpress software update packages

The removal tool supports the following command-line switch:
  • /S - Enables silent mode for the tool. This switch suppresses the infection status dialog box that you receive after the tool has run.

Removal information

The Sasscln.exe file is automatically deleted from its temporary location after the removal tool runs. You can delete the tool's installer package after you install the removal tool.

Note After you install the Sasser Worm Removal Tool (KB841720), it does not appear in the Installed programs list in the Add/Remove Programs tool in Control Panel.

MORE INFORMATION

Frequently asked questions

  • Q1: Does this tool provide my computer with protection against a Sasser worm infection?

    A1: No. This tool removes the Sasser worm from an infected computer. To help prevent infection, you must install the 835732 security update.
  • Q2: What variants of the Sasser worm does this tool remove?

    A2: This tool removes Sasser.A, Sasser.B, Sasser.C, Sasser.D, Sasser.E, and Sasser.F.
  • Q3: How does this tool work?

    A3: This tool is provided in an IExpress installation package (Windows-KB841720-ENU-V4.exe). When you run the installer, the package extracts the Sasscln.exe file to a temporary directory and then runs the removal tool. Sasscln.exe 3.0 removes any copies of the Sasser A, Sasser.B, Sasser.C, Sasser.D, Sasser.E, and Sasser.F worms on your computer, if they exist. After the removal tool has performed these actions, you receive a status dialog box, and then the removal tool quits. The Sasscln.exe file is automatically deleted from the temporary folder, and you can manually delete the installer package. For more information about the IExpress installation package, visit the following Microsoft Web site:

    http://www.microsoft.com/windows/ieak/techinfo/deploy/60/en/iexpress.htm

  • Q4: May I redistribute the Sasser Worm Removal Tool?

    A4: No. All customers must download the Sasser Worm Removal Tool (Windows-KB841720-ENU-V4.exe) from the Microsoft Web site.
  • Q5: May I redistribute the Sasscln.exe file?

    A5: No. Redistribution of the Sasscln.exe file is not supported.
  • Q6: Is this tool digitally signed by Microsoft?

    A6: Yes. Both the installer package and the Sasscln.exe file are digitally signed by Microsoft.
  • Q7: How do I run this tool?

    A7: See the "Download and setup information" section.
  • Q8: How do I know if this tool has removed the Sasser worm?

    A8: You will see a results dialog box after the removal tool runs. Additionally, you can review the Sasscln.log log file for the following entries:
    • "No Worm_Name infection found" indicates that no infection was found.
    • "Worm_Name found and removed" indicates that the Worm_Name worm was found and was removed.
    • "Worm_Name found and will be removed at next reboot" indicates that the Worm_Name worm was found and that it will be removed when you restart your computer.
  • Q9: Is there a Microsoft Windows Installer (.msi) package for this tool?

    A9: No. This tool uses an IExpress package for execution.
  • Q10: Can this tool be removed (uninstalled)?

    A10: Yes. See the "Removal information" section.
  • Q11: Will Microsoft make this tool available in other languages?

    A11: Currently, this release is only available in English (US).
  • Q12: I am running a 64-bit version of Windows XP. Can I install this tool?

    A12: No. Currently, this tool supports only 32-bit operating systems.
  • Q13: I ran a Sasser removal tool from my antivirus vendor or I have an up-to-date antivirus program. Do I have to install this one, too?

    A13: Generally, no. Removal tools that are provided by antivirus vendors should remove any Sasser infections. However, installing the Sasser Worm Removal Tool on an uninfected computer should have no negative effects.
  • Q14: Does this tool gather information from my computer and then send it to Microsoft?

    A14: No information is sent back to Microsoft when you install or run this tool.
  • Q15: If this tool does not remove the Sasser worm from my computer, what should I do?

    A15: Run an up-to-date antivirus program on your computer.
  • Q16: Does this tool create a log file to let me know if an infection was found or removed? If so, what is the name of the log file? Where is the log file located?

    A16: See the "Usage information" section.
  • Q17: How do I know when this tool is finished running on my computer?

    A17: After you click OK to confirm the results of running the tool, the tool has finished running on your computer. To verify the results, view the Sasscln.log log file. For more information, see the "Usage information" section.
  • Q18: Can I run this tool on a remote computer on my network?

    A18: No.
  • Q19: What command-line switches can I use with the installer package?

    A19: See the "Command-line switches" section.
  • Q20: Is this tool a replacement for an antivirus product?
  • A20: No. Microsoft recommends that you install and use an up-to-date antivirus program.
  • Q21: Will my antivirus program interfere with this tool?

    A21: If your antivirus program is running on an infected computer when the removal tool runs, the antivirus program may detect the Sasser worm and may prevent the removal tool from removing the Sasser worm. In this case, you can use your antivirus program to remove the Sasser infection.

    Note The Sasscln.exe file does not contain a virus or a worm. Therefore, the removal tool alone should not trigger your antivirus program. However, if the Sasser worm infected your computer before an up-to-date antivirus program was installed, and scheduled virus scanning or background virus scanning is disabled, your antivirus program might not detect the worm until the Sasser Worm Removal Tool tries to remove the worm.

    In any situation other than this situation, the Sasser Worm Removal Tool should not conflict with or interfere with your antivirus program. You do not have to disable or remove your antivirus program when you install this tool.
  • Q22: How does this tool work with the System Restore feature in Windows XP?

    A22: This tool does not create a system restore point.
  • Q23: Can I use the Microsoft Baseline Security Analyzer (MBSA) to identify computers that require this tool?

    A23: No. You can use MBSA to help determine whether computers have the 835732 security update installed. However, MBSA cannot identify computers that are infected with the Sasser worm.
  • Q24: What user rights and other prerequisites do I have to have to run this tool?

    A24: See the "Prerequisites" section.
  • Q25: Will this tool be part of Windows XP Service Pack 2?

    A25: No.
  • Q26: Can this update be deployed through Microsoft Systems Management Server and through other systems management software?

    A26: Yes. However, as with any large deployment, it is a good idea to test the installation of the tool and the removal of the tool on many computers before you extend the update to the whole corporation. You can use the following single command to run the installer package in quiet mode and to run the tool in silent mode:

    Windows-KB841720-ENU-V4.exe /Q /C:"sasscln.exe /S"

  • Q27: The KB841720 critical update was not installed on my computer by Automatic Updates. Additionally, when I visit Windows Update and scan for updates, the KB841720 critical update is not available for me to install. Why?

    A27: For the KB841720 critical update to be available on Windows Update and through Automatic Updates, your computer must meet the requirements that are described in the "Prerequisites" section.

    Additionally, the KB841720 critical update will not be available to install from Windows Update or through Automatic Updates if your computer does not appear to be infected with the Sasser worm.
Modification Type:MajorLast Reviewed:3/1/2005
Keywords:ATdownload kbvirus KB841720 kbAudEndUser kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.