Win32/Sasser.B is a network worm that exploits the Local Security Authority Subsystem Service (LSASS) vulnerability fixed in Microsoft Security Update MS04-011. The worm targets Windows 2000 and Windows XP computers that do not have the MS04-011 security update installed. Infected computers attempt to spread the worm to other unprotected computers by randomly scanning IP addresses and infecting vulnerable computers.

What to do now

To manually recover from infection by Win32/Sasser.B, perform the following steps:
  • Disconnect from the Internet
  • End the worm process
  • Delete the worm files from your computer
  • Delete the worm registry entry
  • Restart your computer 
  • Take steps to prevent re-infection

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, you should disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

End the worm process

Ending the worm process will help stop your computer from infecting other computers as well as resolve the crashing, rebooting, and performance degradation issues caused by the worm.
To end the worm process
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Select the process avserve.exe, and click End Process.
  4. Repeat step 3 for any additional processes named avserve2.exe, as well as any processes named <random number>_up.exe—for example 8843_up.exe.

Delete the worm files from the computer

After you end the worm process, you should delete the worm code from your computer.
To delete the worm files from the hard disk
  1. Click Start, and click Run.
  2. In the Open field, type %windir%
  3. Click OK.
  4. Click Name to sort files by name.
  5. If avserve2.exe is in the list, delete it.
  6. Repeat step 1-4 for any processes in the %windir%\system32 directory named <random number>_up.exe—for example 8843_up.exe.
  7. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  8. Click Yes.
This removes the worm code from your computer.
If deleting files fails, use the following steps to verify that avserve2.exe is not running:
  1. Press CTRL+ALT+DEL once and click Task Manager.
  2. Click Processes and click Image Name to sort the running processes by name.
  3. Confirm that avserve2.exe is not in the list.

Delete the worm registry entry

To delete the worm registry entry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  4. In the right pane, right-click the value avserve2.exe.
  5. Click Delete and click Yes to delete the value.
  6. Close the Registry Editor.

Restart your computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.

Threat behavior

Win32/Sasser.B checks for the presence of mutex Jobaka3. If the mutex exists, the worm exits so that only one instance is running. Otherwise, the worm takes the following actions:
  • Creates mutex Jobaka3
  • Creates mutex JumpallsNlsTillt
    If this mutex already exists, the worm exits.
  • Copies itself to %windir%\avserve2.exe.
  • Adds value: avserve2
    with data: avserve2.exe
    in registry key:
    This causes the worm to run each time you log on.
  • Creates a thread that acts as an FTP server on TCP port 5554.
  • Generates random IP addresses and sends the exploit code to these IP addresses on TCP port 445. If it successfully exploits the target computer, the exploit code listens on TCP port 9996, accepts and executes shell commands.  The worm then attempts to send shell commands to the target computer on the created port. These shell commands instruct the target computer to connect back to the infecting host, retrieve the worm copy through FTP, and execute it. This worm copy is file %windir%\<random number>_up.exe. For example: 9485_up.exe.
  • Creates c:\win.log and records the number of infected hosts.
  • Attempts to prevent you from shutting down or restarting your computer by calling AbortSystemShutdownA every three seconds.


Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computers. If your computer is infected, you may experience one or more of the following symptoms:
  • The presence of %windir%\avserve2.exe
  • The presence of registry value: avserve2.exe
    with data: %windir%\avserve2.exe
    in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • The presence of c:\win2.log
  • You see an LSA Shell crash dialog box similar to the following screenshot:
  • Your computer restarts every few minutes without your interaction. You may see a system shutdown dialog box similar to the following screenshot:
  • Your computer performance is decreased or your network connection is slow


Alert level: Severe
First detected by definition:
Latest detected by definition: 1.203.795.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Jul 19, 2004
This entry was updated on: Mar 23, 2007

This threat is also detected as:
  • W32/Sasser.worm.b (McAfee)
  • W32.Sasser.B.Worm (Symantec)
  • WORM_SASSER.B (Trend Micro)
  • Win32.Sasser.B (CA)
  • Sasser.B (F-secure)
  • Sasser.B (Panda)
  • W32/Sasser-B (Sophos)
  • Worm.Win32.Sasser.15872.B (Global Hauri)
  • W32/Sasser.B (Norman)