How to Remove The Sasser worm - W32.Sasser.Worm
Tuesday, December 8, 2009
What is the Sasser worm?
The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.
1. Disconnect your computer from the local area network or Internet.
2. Click Start > Run, type:
shutdown -i
and press Enter.
In the Remote Shutdown Dialog that opens, change 20 seconds to:
9999
and click OK.
3. Reconnect the network/Internet connection, click Start > Windows Update to install all necessary patches automatically.
4. Terminate the running process.
Press CTRL+ALT+DEL to open Windows Task Manager, then select the Processes tab. Scroll down the list and search for the following processes:
* avserve.exe
* avserve2.exe
* skynetave.exe
* any process with a name consisting of four or five digits, followed by _up.exe (eg 64354_up.exe).
If you find any such process, click it, and then click End Process. Exit the Task Manager
5. Disable System Restore (Windows XP)
6. Remove the registry entires.
Click Start > Run, type 'regedit' and click Ok.
Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the following entries:
"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"
Close the Registry Editor.
7. Search for and delete the following files:
avserve.exe
avserve2.exe
skynetave.exe
8. Update your antivirus tools virus definition and run a thorough scan on your system.
The Sasser worm infects machines via network connections. It can attack entire networks of computers or one single computer connected to the Internet. The worm exploits a known windows vulnerability that is easily patched, however few systems seem to have this patch installed. It attacks Windows 2000 and Windows XP machines along with Windows NT and Windows Server 2003.
1. Disconnect your computer from the local area network or Internet.
2. Click Start > Run, type:
shutdown -i
and press Enter.
In the Remote Shutdown Dialog that opens, change 20 seconds to:
9999
and click OK.
3. Reconnect the network/Internet connection, click Start > Windows Update to install all necessary patches automatically.
4. Terminate the running process.
Press CTRL+ALT+DEL to open Windows Task Manager, then select the Processes tab. Scroll down the list and search for the following processes:
* avserve.exe
* avserve2.exe
* skynetave.exe
* any process with a name consisting of four or five digits, followed by _up.exe (eg 64354_up.exe).
If you find any such process, click it, and then click End Process. Exit the Task Manager
5. Disable System Restore (Windows XP)
6. Remove the registry entires.
Click Start > Run, type 'regedit' and click Ok.
Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the following entries:
"avserve.exe"="%Windir%\avserve.exe"
"avserve2.exe"="%Windir%\avserve2.exe"
"skynetave.exe"= "%Windows%\skynetave.exe"
Close the Registry Editor.
7. Search for and delete the following files:
avserve.exe
avserve2.exe
skynetave.exe
8. Update your antivirus tools virus definition and run a thorough scan on your system.
