How to Remove the W32.Sasser Worm

These instructions will show you how to remove the Sasser worm from your computer and prevent it from infecting your computer again.

STEP 1: Print These Instructions, Shut Down Your Computer, and Disconnect Your Network/Internet Connection!

Unless you unplug the cable that connects your computer to your network jack, your computer can be infected and spread the worm to others.

STEP 2:  Apply the Microsoft Security Patch (835732)

You must install this patch to prevent your computer from getting compromised again. However, the patch will not clean any existing infection from your computer.

Pick up the UIS Sasser Removal CD (free of charge) from the UIS Service Desk in St. Mary's Hall or the Biomedical Academic Computing Center Service Desk in the lower level of Dahlgren Library. A full set of instructions is contained on the CD.

If you cannot visit either of these buildings to pick up a CD, use a patched, uninfected computer to download the patch and the W32.Sasser Removal Tool from the UIS Software Database to a CD. (You will be prompted to log in with your NetID and NetID password.) You can find the Windows 2000 patch, the Windows XP patch, and the removal tool by searching for "Sasser" in the Search software by title/description field.

1. If installing the patch from a a UIS CD: Double-click on the Windows Patch folder.
   
   If using a CD you created:  Use Microsoft Explorer to view the file on your CD. If you have Windows 2000, your patch will be called Windows2000-KB835732-x86-ENU.exe. If you have Windows XP, your patch will be called WindowsXP-KB835732-x86-ENU.exe . Double-click the patch to begin installation.

2. When installation is complete, reboot your computer.

STEP 3:  Remove the Infected Files

1. Run the Sasser Worm Removal Tool 1.01 from your CD.

If you are using Windows XP, follow #2-11 below; if you are using Windows 2000, follow #6-11.

2. Click on the Start button on your task bar, then click on My Computer.

3. Click on the View system information link (it's on the left-hand side of the window).

4. Click on the System Restore tab.

5. Then click on Turn off System Restore. (A checkmark should appear beside it.)

   Click the OK button to close System Properties window.

6. Close all other programs, then double-click on the W32.Sasser Removal Tool (FxSasser.exe).

7. When prompted, click on the Start button and allow the tool to run.

Note: If, when running the tool, you see a message that the tool was not able to remove one or more files, run the tool in Safe Mode. Shut down your computer, turn off the power, and wait 30 seconds. Restart the computer while holding down the F8 key on your keyboard. When prompted, use the arrows keys on your keyboard to highlight Safe Mode, then press the Enter key on your keyboard. When the computer has finished booting up in Safe Mode, run the virus removal tool again.

8. After the tool has finished running, restart your computer.

9. Run the tool a second time to make sure nothing has been missed.

10. Windows XP users: Turn your System Restore setting back on.

11. If you have removed all traces of the virus: Rreconnect to the network and procced to Step 4.
    
    If you are unable to fully remove the virus: Please contact the UIS Help Desk. DO NOT REATTACH YOUR COMPUTER TO THE NETWORK JACK.

STEP 4:  Update Your Virus Definitions

If you have not already done so, open Symantec AntiVirus.

1. Click the LiveUpdate button.

2. The LiveUpdate window will open. Click the Next button.

3. Stand by while Symantec AntiVirus searches for updates.

4. When the LiveUpdate is done, click the Finish button.

5. Stand by while Symantec AntiVirus installs updates. You might be prompted to restart your computer.

STEP 5:  Set Up Windows Update to Run Automatically

Visit How to Protect Your Computer for instructions on setting up automatic Windows Updates.