What Is the Sasser Virus and How Can I Prevent or Remove It?

The Sasser worm (W32.Sasser.A and its variants) is currently running around on the Internet and can easily infect an unprotected system. Unlike many viruses that require a user to click on or run an infected file or email attachment, this virus can spread from system to system with out any user intervention. Please follow the steps listed below to check if your system is infected and protect yourself from future attacks of this virus. Symptoms of infection with this virus may include any of the following (but are not limited to these):
* Slow or sluggish system performance
* A dialog box appears saying the system will shutdown...
* The system may shutdown or reboot on its own
* A message similar to: “lsass.exe terminated unexpectedly...” may appear
* A message such as: “The system process 'C:\WINDOWS\SYSTEM32\lsass.exe' terminated unexpectedly with status code -1073741819.” may appear
* A LSA Shell (Export Version) dialog box with text: “LSA Shell (Export Version) has encountered a problem and needs to close. We are sorry for the inconvenience.”
* A “System Shutdown” box that may say something like: “This system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY\SYSTEM"
“The system process ‘C:\WINDOWS\system32\lsass.exe’ terminated unexpectedly with the status code -1073741819. The system will now shut down and restart.”

Sasser manual removal instructions -

* Disconnect your computer from the internet cabling
* Restart the computer
* At the first beep (older systems) or on the blue Dell screen (new systems), tap the F8 key (do not hold it down)
* At some point, the Advanced Options menu will appear
* Scroll to and select Safe Mode [press the Enter key]
* At the operating system listing [press the Enter key]
* Windows will start in Safe Mode. Close any boxes that may open, just get to the desktop

* Click Start- Find or Search- Files or Folders
* "Look In" should say Local Hard Drives
* Type avserve.exe [press Enter]
* Delete any/all found, close all boxes when finished

* Click Start- Run
* Type regedit [press Enter]
* Highlight My Computer
* Click Edit- Find
* Type avserve.exe [press Enter]
* Delete any/all found, press F3 to continue searching. Delete any/all found
* Close all boxes when finished
* Reconnect the computer to the internet cabling
* Click Start- Shutdown- Restart- OK or Click Start- Turn Off Computer- Restart

* Go here   and follow the prompts to load all Critical Updates

Below are more fixes and additional information on this virus from Microsoft, Symantec and McAfee Security:
* Go here
* Click "What to do to protect against or remove the worm"

* Click What You Should Know About the Sasser Worm and Its Variants

* Click What Is the Sasser Virus and How Can I Prevent or Remove It?  

* Click Symantec W32.Sasser.Worm

* Click McAfee Security

* Go here   for additional Sasser removal instructions

* Go here  for the Sasser removal document that uses external tools

Message Edited by DELL-ChrisM on 05-07-2004 09:20 AM