Emergency Fix: W32.Sasser Removal Tool for Windows Systems

W32.Sasser Removal Tool: Quick Guide to Detect and Remove the Worm

What W32.Sasser is

W32.Sasser is a worm that exploited a vulnerability in the Windows LSASS service (SMB-related RPC) to spread across networks in 2004. It can cause system instability, crashes, high CPU usage, and network slowdown. Though old, variants or legacy infections can still appear on unpatched or isolated systems.

Before you begin

• Backup: Save important files to an external drive if possible.
• Disconnect: Unplug the network cable or disable Wi‑Fi to prevent further spread.
• Admin access: You’ll need administrator privileges to run removal tools and apply fixes.
• System restore point: Create one if available so you can revert changes.

Step 1 — Use a dedicated removal tool

1. Download a reputable W32.Sasser removal tool from a trusted vendor (e.g., Microsoft Safety Scanner or a well-known antivirus vendor).
2. Ensure the tool’s virus definitions are up to date.
3. Run a full system scan and follow the tool’s prompts to quarantine or remove detected files.
4. Reboot the system when prompted.

Step 2 — Manual detection (if needed)

• Check for suspicious processes: look for process names like avserve.exe, avserve2.exe, or unusual instances of lsass.exe (note: legitimate lsass.exe runs from C:\Windows\System32).
• Look for dropped files in temporary directories (e.g., %TEMP%) or unexpected scheduled tasks.
• Inspect network activity for unexplained listening ports or connections.

Step 3 — Remove startup entries and malicious files

• Use Task Manager and Autoruns (Sysinternals) to remove unknown startup entries.
• Delete confirmed malicious files and empty the Recycle Bin.
• If you removed a malicious lsass.exe copy, ensure the real one remains in C:\Windows\System32.

Step 4 — Patch and secure the system

• Install all Windows updates, especially patches for the LSASS/LSASvc vulnerability (MS04-011 and related).
• Remove or disable unnecessary services and restrict remote access (firewall rules).
• Change passwords for accounts used on the infected machine and network services.

Step 5 — Scan other systems and restore network

• Scan other devices on the network with updated antivirus tools.
• Only reconnect the cleaned system to the network after verifying it’s clean.
• Monitor network traffic for residual infection behavior.

Recovery and verification

• Run repeated full scans with a second reputable antivirus engine (on-demand scanner) to confirm removal.
• Check Windows Event Logs for entries indicating LSASS crashes or worm activity and confirm no recent re-infections.

When to seek professional help

• If the worm persists after removal attempts, critical systems are affected, or you lack backups, contact a professional incident response or your IT support team.

Preventive measures

• Keep OS and software patched.
• Use up-to-date antivirus with real-time protection.
• Segment networks and limit administrative privileges.
• Regularly back up data and test restores.