
F - S A S S E R
---------------

The F-Sasser utility disinfects computers infected with the 
following Sasser worm variants:

 W32/Sasser.A
 W32/Sasser.B
 W32/Sasser.C
 W32/Sasser.D
 W32/Sasser.E
 W32/Sasser.F

Disinfection procedure should be as follows:

1, Download and install the security fix for the MS04-011 (LSASS)
vulnerability from Microsoft:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx


2. Unpack the F-Sasser utility from the provided ZIP archive 
either with WinZip or PkUnzip utilities. A trial version of 
WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm

                                   
3. Run the unpacked F-Sasser.exe file from a hard disk to 
eliminate the infection. You can run the utility by either 
doubleclicking on it from Windows Explorer or you can start it 
from a command interpreter (COMMAND.COM or CMD.EXE) by typing its 
name at command prompt and pressing 'Enter' (for advanced users).


The F-Sasser utility performs the following steps to find and
remove the Sasser infection:

- scans all running processes for the worm

- terminates the infected processes

- recursively scans the Windows Directory and deletes the
  infected files

- removes the registry values created by the worm

- deletes c:\win.log and c:\win2.log

- implements a workaround to prevent the MS04-011 (LSASS)
  exploit from working (see below)

4. Restart a computer. After restart your system should be clean.


About the MS04-011 workaround
-----------------------------

One sideffect of Sasser worm's spreading is that it crashes
LSASS.EXE which forces Windows to reboot. This makes it rather
difficult to fetch and install the required security patch.

A simple workaround can be implemented to prevent LSASS.EXE
from crashing. The following file must be created with Read-Only
attribute set:

%SystemRoot%\Debug\dcpromo.log

where %SystemRoot% is the Windows Directory (typically C:\WINDOWS
or C:\WINNT).

Since the MS04-011 vulnerability is in a debug print code,
if the debug log file can not be opened the vulnerable code
part will not be executed. 


Checking the computer for further infections
--------------------------------------------

You can get a trial version of F-Secure Anti-Virus and the latest 
updates for it from our website:

http://www.europe.f-secure.com/download-purchase/list.shtml
http://www.europe.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

If a computer with Windows NT, 2000 or XP system is being 
disinfected, please log in as Administrator or as a user with 
local admin rights, otherwise the F-Sasser utility might not 
disinfect the system correctly.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Sasser worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and copy it back to a hard 
drive it every time it's been deleted by F-Sasser utility. The 
instructions on how to disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'anti-virus-support@f-secure.com' address. Please include a
copy of the logfile from the F-Sasser tool which is called
'F-Sasser.log' in the Windows Directory.


Copyright (C) 2004 F-Secure Corporation. All rights reserved.
