Microsoft's Recommendations for the Sasser Worm and Its Variants



May 04, 2004 /The Wi-Fi Technology News/-Microsoft teams have confirmed that the Sasser worm (W32.Sasser.A and its variants) is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13 in conjunction with Microsoft Security Bulletin MS04-011.

Microsoft Security Bulletin MS04-011:
http://www.microsoft.com/security/security_bulletins/200404_windows.asp

Recommendations:

IT Professionals: View the Technical Update on the Sasser Worm webcast, May 4, 9 a.m. or 6 p.m. Pacific Time. http://go.microsoft.com/fwlink/?LinkId=28571

To protect your computer against Sasser and its variants, do the following:

Step 1: Enable a Firewall
Before you take other steps, make sure you have a firewall activated to help protect your computer against infection. If you have a hardware firewall in place for your home or workplace connection, or if you use the firewall included with Microsoft? Windows? XP, the Sasser worm is most likely blocked. If your computer has been infected, activating firewall software will help limit the effects of the worm on your computer. For comprehensive guidance to installing and enabling a firewall, see the Microsoft Protect Your PC site http://www.microsoft.com/security/protect/.

Step 2: Install the Required Update
To help protect your computer against the Sasser worm and its variants, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 on the Windows Update Web site listed in the Critical Updates and Service Packs section. You can also download and install this update manually from the Microsoft.com Download Center. To find the download for your operating system, refer to Technical Security Bulletin MS04-011.

Note If you installed the updates for MS04-011 manually or through Automatic Updates before Friday, April 30, then you are already protected against this issue.

Step 3: Automatically Check For and Remove Sasser.A and Sasser.B
You can use the tool available on the Microsoft web site to search your hard disk for and try to remove Sasser.A and Sasser.B., see the original recommendation here: http://www.microsoft.com/security/incident/sasser.asp.

Step 4: Review Additional Technical Resources
If the scanning and cleaning tool does not work for you, try using one of the free worm removal tools available at these antivirus software vendors' Web sites:

Computer Associates: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012

F-secure: http://www.f-secure.com/v-descs/sasser.shtml

Network Associates: http://vil.nai.com/vil/content/v_125007.htm

Norman: http://www.norman.com/Virus/Virus_descriptions/14919/en-us?show=default

Panda: http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?IdVirus=46865&sind=0

Sophos: http://www.sophos.com/virusinfo/articles/sasser.html

Symantec: http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html

Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A

If you prefer to remove the worm manually (for advanced users only), see the Microsoft Product Support Services (PSS) Security Response Team alert for technical guidance.

Step 5: Learn How to Protect Your PC
To help protect your computer against a wide variety of security threats, see Protect Your PC http://www.microsoft.com/security/protect/default.asp.


Source: Microsoft

Related news:
Microsoft tracking people responsible for Worm Attacks against Computer Users
http://www.wi-fitechnology.com/displayarticle1131.html