Information on the Sasser worm

How to create a DCPromo.log to mitigate the vulnerability used by the worm to prevent a vulnerable machine from rebooting. NOTE: Following the steps in the DCPromo script is the best solution for customers who are not patched and are experiencing LSASS.EXE crashing. Following the instructions in this script completely mitigates the vulnerability by causing the vulnerable code path to never be executed. This is the best solution that will work no matter which port is targeted.

How to use TCP/IP filtering to block inbound access to all TCP ports (like ICF) to prevent a vulnerable machine from rebooting. NOTE: Following the steps in the TCP/IP filtering script is an alternative solution that should only be used if the DCPromo script / solution cannot be used. The steps in that script will walk a customer through blocking all un-solicited inbound TCP packets while leaving UDP ports exposed.

How to stop the server service to prevent a vulnerable machine from rebooting. NOTE: The steps outlined in the server service script may be the easiest way to mitigate the Sasser worm but it is the least robust solution as it only detaches the vulnerable LSASS code from ports TCP 139 and 445. LSASS will still be listening on other ports (like TCP 135) which are still exposed. However the steps in this script will mitigate Sasser variants A through D.

Here is the Sasser consumer web page: http://www.microsoft.com/security/incident/sasser.mspx

Here is the Sasser IT Pro web page: http://www.microsoft.com/technet/Security/alerts/sasser.mspx
The IT Pro web site has instructions for how to prevent the LSASS.EXE process from crashing as well has what processes to kill to stop the Sasser worm from sending packets and consuming network bandwidth.

ISS X-Force: http://xforce.iss.net/xforce/alerts/id/172

Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A

Computer Associates: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012