Windows XP users: Measures to be taken when a computer is infected with a Sasser worm

Released on: February 1, May 4, 2004

Print out this page immediately to provide you with instructions (if your computer continues to shut down) or to help your friends.

If you are using Microsoft? Windows? XP or Windows XP Service Pack 1 (SP1) and your computer is infected with the shock wave worm, you can take these steps to update your software, remove the worm, and protect you from future infections.

Step 2: disconnect the Internet
To avoid more problems, disconnect the Internet:

Broadband connection User: determine the location of the cable connecting to the external DSL or cable modem, and unplug the cable from the modem or telephone line Jack.
Dial-up connection User: determine the location of the cable connecting the computer's built-in modem to the telephone line Jack, and then unplug the cable from the telephone line Jack or from the computer.

Step 1: Terminate the shutdown cycle
This worm causes LSASS. EXE to stop responding, which forces the operating system to shut down after 60 seconds. If your computer starts to shut down, follow these steps to interrupt any system shutdown process that may be running.

Click Start on the taskbar at the bottom of the screen, and then click Run ".
Type "cmd" and click "OK ".
In the command line, click “shutdown.exe-A, and then press Enter.
Step 2: mitigate vulnerability risks
You can create a log file to temporarily eliminate the vulnerability that allows worms to intrude into your computer.

Create a log file

Click Start on the taskbar at the bottom of the screen, and then click Run ".
Type "cmd" and click "OK ".
At the command prompt, type "Echo dcpromo> % SystemRoot %/debug/dcpromo. log", and then press Enter.
Set the log file to read-only

Type "attrib + R % SystemRoot %/debug/dcpromo. log" at the command prompt, and then press Enter.
Step 2: improve system performance
If your computer is slow or the Internet connection speed is too slow, it indicates that the worm virus may have spread in your LAN connection. This prevents you from downloading and installing the required software updates. To improve system performance:

Press CTRL + ALT + delete, and then click "Task Manager ".
For each task that may be listed below, click and select the task, and then click the End Task button to end it.
Any task ending with _up.exe (for example, 12345_up.exe ).
Any task starting with avserve (for example, avserve.exe ).
Any task starting with avserve2 (for example, avserve2.exe ).
Any task starting with skynetave (for example, skynetave.exe ).
Hkey.exe
Msiwin84.exe
Wmiprvsw.exe

Note: Do not end the wmiprvse.exe task. This is a legal system task.

Step 2: Enable Firewall
A firewall is a software or hardware that can build a protection barrier between the computer and the Internet. If your computer is infected with a virus, firewall can help limit the impact of worms. Windows XP contains the Internet Connection Firewall (ICF ). To enable ICF:

Click Start on the taskbar at the bottom of the screen, and then click Control Panel ".
Click "network and Internet connection ".
(If "network and Internet connections" is not displayed, click "switch to category View" in "Control Panel" on the left of the "control panel" window ".)
Click network connection ".
Right-click the dial-up, lan, or high-speed Internet connection used to connect to the Internet, and then click "properties" in the shortcut menu ".
On the "advanced" tab of "Internet Connection Firewall", select "Protect my computer and network" and click "OK ". Now you have started to enable the Windows XP firewall.
Step 2: reconnect to the Internet
Reconnect the cable (see step 1) to your computer, telephone line Jack, or modem.

Step 2: install required updates
To prevent your computer from being infected with this worm later, you must download and install security update 835732, which is published as a Microsoft Security Bulletin MS04-011. To download security update 835732, go to http://go.microsoft.com /? Linkid = 526067

Step 2: Check and remove the ripple Worm
After the installation is complete and the computer is restarted, go to "What You shocould know about the Sasser worm and its variants" on the Web http://www.microsoft.com/china/security/incident/sasser.asp (information you should know about the shock wave worm and its variants ). Search for your hard disk and remove sasser. A, sasser. B, sasser. C, and sasser. D with the Ripper worm removal tool.

About Internet Connection Firewall
Windows XP Internet Connection Firewall can shield useful tasks, such as file transfer or multiplayer online games in applications by sharing files or printers over the network. However, Microsoft recommends that you use a firewall to protect your computer.

If you have enabled the Internet Connection Firewall and find that you are unable to execute some tasks that need to be executed, read how to open ports in the Windows XP Internet Connection Firewall on the http://www.microsoft.com/china/security/protect/ports.asp (how to open a port in the Windows XP Internet Connection Firewall ).

If you have multiple computers, need more technical information, or want more information about the firewall, read "Frequently Asked Questions about firewils" on the http://www.microsoft.com/china/security/protect/firewall.asp (FAQs about firewalls ).
Windows 2000 users: Measures to be taken when a computer is infected with a Sasser worm
Released on: February 1, May 7, 2004

Print out this page immediately to provide you with instructions (if your computer continues to shut down) or to help your friends.

If you are using Microsoft? Windows 2000 Service Pack 2 (SP2), Windows 2000 SP3, or Windows 2000 SP4, and your computer is infected with the shock wave worm, you can take these steps to update your software, remove the worm, and protect you from future infections.

Step 2: disconnect the Internet
To avoid more problems, disconnect the Internet:

Broadband connection User: determine the location of the cable connecting to the external DSL or cable modem, and unplug the cable from the modem or telephone line Jack.
Dial-up connection User: determine the location of the cable connecting the computer's built-in modem to the telephone line Jack, and then unplug the cable from the telephone line Jack or from the computer.

Step 2: mitigate vulnerability risks
You can create a log file to temporarily eliminate the vulnerability that allows worms to intrude into your computer.

Create a log file

Click Start on the taskbar at the bottom of the screen, and then click Run ".
Type "cmd" and click "OK ".
At the command prompt, type "Echo dcpromo> % SystemRoot %/debug/dcpromo. log", and then press Enter.
Set the log file to read-only

Type "attrib + R % SystemRoot %/debug/dcpromo. log" at the command prompt, and then press Enter.
Step 2: improve system performance
If your computer is slow or the Internet connection speed is too slow, it indicates that the worm virus may have spread in your LAN connection. This prevents you from downloading and installing the required software updates. To improve system performance:

Press CTRL + ALT + delete, and then click "Task Manager ".
For each task that may be listed below, click and select the task, and then click the End Task button to end it.
Any task ending with _up.exe (for example, 12345_up.exe ).
Any task starting with avserve (for example, avserve.exe ).
Any task starting with avserve2 (for example, avserve2.exe ).
Any task starting with skynetave (for example, skynetave.exe ).
Hkey.exe
Msiwin84.exe
Wmiprvsw.exe

Note: Do not end the wmiprvse.exe task. This is a legal system task.

Step 2: Enable Firewall
A firewall is a software or hardware that can build a protection barrier between the computer and the Internet. Microsoft does not manufacture software firewalls independent of operating systems. The following resources provide detailed information about some firewall options.

Hardware firewall
The hardware firewall is ideal for Windows XP versions earlier than Windows XP. Some home network hardware, such as wireless access points and broadband routers, are attached with embedded hardware firewalls. These firewalls help protect most home networks.

Software Firewall
Microsoft strongly recommends that all users obtain and install the firewall before connecting to the Internet. However, we also realized that some users may find that downloading software is their only choice. If you choose to reconnect to the Internet to obtain the software firewall, here are some options:

BlackICE PC Protection-save 25% (http://blackice.iss.net/microsoft.php)
Computer Associates-12-month free trial (http://www.my-etrust.com/microsoft)
Free trial in F-secure-6 (http://www.f-secure.com/protectyourpc)
McAfee Security-saves up to 35% (http://us.mcafee.com/root/campaign.asp? Cid = 8437)
Panda Software-90-day free trial (http://www.pandasoftware.com/microsoft)
Symantec/Norton-90 day free trial (http://www.symantecstore.com/dr/v2/ec_dynamic.main? SP = 1 & Pn = 46 & SID = 27674)
Tiny software: Tiny Personal Firewall (http://www.tinysoftware.com)
ZoneAlarm-saved $20 (http://download.zonelabs.com/bin/promotions/microsoftsecurity)
Step 2: reconnect to the Internet
Reconnect the cable (see step 1) to your computer, telephone line Jack, or modem.

Step 2: install required updates
To prevent your computer from being infected with this worm later, you must download and install security update 835732, which is published as a Microsoft Security Bulletin MS04-011. To download security update 835732, go to http://go.microsoft.com /? Linkid = 526386

Step 2: Check and remove the ripple Worm
After the installation and updates are complete and the computer is restarted, go to the web page to know you shocould know about the Sasser worm and its variants (you should know about the shock wave worms and their variants ). Search for your hard disk and remove sasser. A, sasser. B, sasser. C, and sasser. D with the Ripper worm removal tool.

About Firewall
To learn more about the software firewalls, hardware firewalls, and network routers produced by other companies, and select the firewalls corresponding to your computer, for more information, see "why you should use a computer firewall" on http://www.microsoft.com/security/articles/firewall.asp ). If you have other configurations like a small network or want to learn more about the firewall, read the http://www.microsoft.com/china/security/protect/firewall.asp (FAQs about Internet firewall ).