How to Remove the 'Sasser' Worm
Monday, May 3, 2004; 2:49 PM
The "Sasser" worm that emerged on the Internet this weekend can infect a computer even if no one is using it. Infected computers might display error messages and try to repeatedly reboot themselves.
Here are instructions to follow if you suspect that your computer has been infected:
1. Disconnect your computer from the Internet.
2. Locate and stop the worm's actions: Press the keys "Ctrl" "Alt" and "Del" at the same time. That should launch Windows Task Manager. Click on the "Processes" tab. Look for a file called "aserve.exe" or "*_up.exe". If one of these files appears, highlight it and click on the "End Process" button. Click "yes" when it asks for confirmation.
3. Find and delete the worm: Click on the "Start" button in the bottom-left corner of your screen, then choose "Search". Search your entire computer (in the field next to the "all files and folders" option) for the following files: "avserve.exe", and "*_up.exe". Delete any matching files.
4. Enable a firewall: Right-click on the Internet connection icon in the bottom-right corner of your screen (or wherever the task bar is located). Click on "open network connections". When a box pops up, right-click on the connection you use to get online, and select "properties". Then, on the "Advanced" tab you should see a box underneath the words "Internet connection firewall". If that box is not checked, check it.
5. Reconnect your computer to the Internet.
6. Visit Microsoft's Windows Update site: go to windowsupdate.microsoft.com. Let the site scan your computer and apply any "critical" updates.
7. Check to make sure your computer is disinfected: Visit Microsoft's Sasser page on its Web site and click on the button that reads "Check My PC for Infection". Follow the instructions provided.
If your computer continues to try to restart:
Click on the "Start" button at the bottom-left corner of your screen, then choose "Run" from the list of options. Type "cmd.exe" (without the quotation marks). When a command prompt pops up, type in "shutdown -a" (again -- without the quotation marks). That should stop the reboot process and give you enough time to carry out steps two through four.
Several cybersecurity firms and Microsoft have released tools that can detect and remove Sasser:
• Computer Associates
• Microsoft
• McAfee
• Symantec
• Trend Micro
Detailed removal instructions are also available from Microsoft.
washingtonpost.com |
