Removing The Sasser/Lovesan Worm

This article explains how to remove the Sasser or the Lovesan/Blaster worm from your computer.

Symptoms:

My computer displays some weird “Windows Error Message” and then begins a sixty-second countdown, at the end of which it shuts down. I can see one or more of the following processes in my task manager: “19345_up” (Sasser worm, other numbers and multiple processes are possible) or “MSBlast.exe” “MSLaugh.exe” (Lovesan).

Yeah, that sounds like it. What is going on?

You have been hit by either the MSBlast/Lovesan or the younger Sasser worm. These worms exploit a weakness in the RPC protocol to hit your computer. The worms aren’t dangerous per se, meaning they will not delete your data, but the Lovesan worm was written to use your computer as a “bot” to stage a massive Denial of Service Attack against windowsupdate.com. The shutdown is due to a mistake the virus programmer made. Sasser uses a similar weakness but is actually pretty harmless, in fact it removes two other worms if it finds them on your system. Of course, that doesn’t make it something you want to have on your PC, there is that shutdown business, and other more dangerous worms such as Phatbot use Sasser to gain access to your PC.

OK, that doesn’t sound good at all. What do I do?

First off, you need to disable that shutdown. Ignore the message, and click on “Start”. Next, select “Run”. A new window will appear, with a single command line. Type the following into this command line and hit enter:

shutdown -a

This prevents your system from shutting down, and now you have all the time to remove the worm. But first, you have to update Windows.

Updating Windows? How do I do that?

This is pretty easy. Click on “Start”, then select “Windows Update”. An Internet Explorer window will appear. Follow the steps in that window to download and install the updates. Don’t worry, very little user input is required, basically all you have to do is click “OK” a couple of times. If it asks you to reboot after the update, do it. After your system is back up and running again, you will probably encounter the shutdown again, use the trick described above to stop it.

OK, my Windows is now up to date. Why did I do that again?

The worms used a weakness in your Windows program to gain access to your PC. You don’t have to download any email or click on attachments, like most other worms require you to do, simply being online is enough in this case. Patching Windows closes that security hole.

Great. Now, how do I get rid of that sucker?

There are convenient removal tools to remove the worms. Download both of them, but don’t run them yet:

Before running those tools, you have to disable System Restore.

How do I disable System Restore, and why?

The reason you have to do this is to prevent Windows from backing up the worm and restoring it after reboot. Detailed instructions on how to do this can be found on the Symantec Website here.

Now, can I finally kill that worm?

Yes. Run the two programs that you just downloaded (one of them will probably not find anything, as it is pretty unlikely that you got hit by both worms). This will remove the worm from your system.

Cool. But what did I do wrong, and how can I keep this from happening?

Well, the mistake you made was not keeping your Windows up to date. Hit the update button every once in a while, or turn on automatic update to make sure you have the latest version of Windows on your PC. With the patches you just downloaded you are safe from those two worms. But someone might find another exploit. To keep yourself from getting infected in the first place, I recommend you install a personal firewall. These stealth unused ports, making your PC essentially “invisible” to the probes of trojan scripts and worms like Sasser.
You should also install antivirus software and update it frequently.

But I don’t want to spend more money on a firewall!

You don’t have to. There are several free firewalls out there, and most of them are actually very good. I use Kerio Personal Firewall myself. It is free of charge. Other free firewall software solutions are Zone Alarm and Tiny Personal Firewall.