Search Microsoft.com for:

Trustworthy Computing

Home Users

IT Professionals (TechNet)

Developers (MSDN)

Businesses

Partners

Microsoft Privacy Policies

Worldwide Security Sites

Security & Privacy Home

What You Should Know About the Sasser Worm and Its Variants

Published: May 1, 2004 | Updated: May 4, 2004 - 9:55 P.M. Pacific Time

Software Affected

� Windows XP, Windows XP Service Pack 1 (SP1)

� Windows 2000 SP2, Windows 2000 SP3, Windows 2000 SP4

Software Not Affected

� Windows XP 64-Bit Edition Version 2003

� Windows Server� 2003

� Windows XP 64-Bit Edition SP1

� Windows Millennium Edition

� Windows 98 Second Edition

� Windows 98

� Windows NT� 4.0 SP6a

Related Links

� Sasser Worm FAQ

� Webcast: Technical Update on Sasser

� Get More Technical Information About This Incident

Glossary Terms
Click the term to get the definition from our Security and Privacy Glossary.

� virus

� worm

If your computer keeps shutting down, print these instructions for yourself, or to help a friend:

� Instructions for Microsoft� Windows� XP Users

� Instructions for Windows 2000 Users

Get this information in additional languages

Microsoft teams have confirmed that the Sasser worm (W32.Sasser.A and its variants) is currently circulating on the Internet. Microsoft has verified that the worm exploits the Local Security Authority Subsystem Service (LSASS) issue that was addressed by the security update released on April 13 in conjunction with Microsoft Security Bulletin MS04-011.

To protect your computer against Sasser and its variants, do the following:

Step 1: Enable a Firewall

Before you take other steps, make sure you have a firewall activated to help protect your computer against infection. If you have a hardware firewall in place for your home or workplace connection, or if you use the firewall included with Windows XP, the Sasser worm is most likely blocked. If your computer has been infected, a firewall will help limit the effects of the worm on your computer. For comprehensive guidance to installing and enabling a firewall, see the Microsoft Protect Your PC site.

Step 2: Install the Required Update

To help protect your computer against the Sasser worm and its variants, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 on the Windows Update Web site listed in the Critical Updates and Service Packs section. You can also download and install this update manually from the Microsoft.com Download Center. To find the download for your operating system, refer to Technical Security Bulletin MS04-011.

Note If you installed the updates for MS04-011 manually or through Automatic Updates before Friday, April 30, then you are already protected against this issue.

Step 3: Automatically Check For and Remove Sasser

You can use this tool to search your hard disk for and try to remove Sasser.A, Sasser.B, Sasser.C, and Sasser.D. To do so, click Check My PC for Infection.

Important To use this tool, you must be running Windows XP or Windows 2000, and you must have already installed the update released with Microsoft Security Bulletin MS04-011.

Note If you have difficulty running the tool from this page, it may be due to your browser's security settings. If you have any problems, try downloading the tool directly from the Microsoft.com Download Center and then running it manually.

Step 4: Review Additional Technical Resources

If the scanning and cleaning tool does not work for you, try using one of the free worm removal tools available at these antivirus software vendors' Web sites:

� Computer Associates

� F-secure

� Network Associates

� Norman

� Panda

� Sophos

� Symantec

�