W32.Sasser family of worms

Discovery began in April 2004

The W32.Sasser family of network worms began to surface in April 2004 and new variants are still appearing. It attempts to exploit the LSASS Vulnerability, as described in Microsoft Security Bulletin MS04-011., and spreads by scanning randomly-chosen IP addresses for vulnerable systems.


An infected computer will show one or more of the following symptoms:

  • Windows NT shutdown 60 second countdown and machine reboot
  • Increased CPU usage
  • Slow network performance

This virus has very similar symptoms to the W32.Blaster worm and its variants from Fall of 2003.


Please follow these 8 steps:
  1. Unplug your computer from the network. (this will stop the 60 second system reboots).
  2. Go to a clean computer and visit www.antivirus.vt.edu.
  3. Download the Symantec fix tool (below) to a floppy, USB key, Zip disk, CD-R, etc.
  4. Run this tool on your computer. (this will clean up the current infection)
  5. Turn on firewall
  6. Plug in your network connection.
  7. Go to http://windowsupdate.microsoft.com/
  8. Install ALL Critical Updates.
You can find more information and removal instructions for each variant from Symantec from the following links: An automatic removal tool is available from Symantec and from Microsoft at the following links;