News  
   Documentation  
  Help   		Training 
Labs
Contacts 		 Connecting
About   
Purchases		 Policies
TTU Home  
ITS Home


Sasser Worm

About Sasser

 Removal Tool Disable
System Restore		 Running a scan Get Symantec
(for TTU Students)

About Sasser

From: Symantec's Security Response site

W32.Sasser.Worm is a worm that spreads by scanning randomly-chosen IP addresses for vulnerable systems and by starting an FTP server.  This server is used to spread the worm to other hosts.  You are protected if all your Microsoft operating system Critical Updates are current and your antivirus program has received all the latest updates.

Systems which can be infected include:  Windows 2000, Windows Server 2003, Windows XP

Systems not affected:  Linux, Macintosh, Novell Netware, OS/2, UNIX, Windows 95, Windows 98, Windows Me, Windows NT

REMOVAL

  1. Download the FxSasser.exe to a convenient location, such as your desktop (courtesy of Symantec).
  2. Close all programs before running the tool.
  3. Disconnect your computer from the network and the Internet.
  4. If you are running Windows Me or XP, disable System Restore (see instructions below).
    Caution: If you are running Windows XP, do not skip this step.
  5. Be sure you are logged on to your system with administrative rights.
  6. Double-click the FxSasser.exe file to start the removal tool.
  7. Click Start to begin the process, and then allow the tool to run.
  8. Restart the computer.
  9. Run the removal tool again to ensure that the system is clean.
  10. If you are running Windows XP, next re-enable System Restore (see instructions below).
  11. Reconnect to the network.
  12. Install the Microsoft 04-11(835732) patch to fix your operating system.

    Save the patch to a convenient location, such as your desktop.
    Close all programs before installing.
    Double-click on the file to start the install.
    Restart your computer.

  13. Be sure your virus definitions are up to date by running LiveUpdate (Norton/Symantec).
  14. Be sure you have installed all Critical Updates to your operating system.
    (If you are on ResNet, do this after you been unblocked).

ResNet students who have been disconnected will have to call
the ResNet Help Line (372-6566) to be reconnected to the network. 
It may take some time to be confirmed clean and reconnected.

Remember that Symantec Antivirus is available for download to enrolled TTU students.

Disabling System Restore in Windows XP

  • Click Start.
  • Right-click My Computer
  • Select  Properties from the floating menu.
  • Click the System Restore tab.
  • Select Turn off System Restore check box.
  • Click Apply.
  • Click Yes in message box.
  • Click OK.

After the worm is removed, restart your computer and follow the steps above to deselect "Turn off System Restore".

Running a Scan with Norton Antivirus

  • Click on the yellow shield in the bottom right corner (system tray).
  • Click Scan Computer in the left menu.
  • Check the box to select C: (Local Drive)
  • Click the Scan button at the bottom of the window.

Faculty and staff who need additional assistance, please contact MicroSupport@tntech.edu (372-6315)
or their College MicroSupport contact

 

Maintained by:  Academic Computing Support Last updated: May 04, 2004
TTU Home     ITS Home     Contacts     News
Copyright © Tennessee Technological University. All rights reserved.
Information Technology Services, Box 5071— Clement Hall 220, Cookeville, Tennessee 38505   Phone: 931.372.3387