NEWS FROM THE LAB - Tuesday, May 4, 2004

Sasser.D tool and workaround Posted by Gergo @ 13:15 GMT

The Sasser disinfection tool has been updated to remove Sasser.D. The tool is available from the description page.

If the tool finds an active infection it implements a workaround to prevent the constant reboots that make patching really difficult.

One sideffect of Sasser worm's spreading is that it crashes LSASS.EXE which forces Windows to reboot. This makes it rather difficult to fetch and install the required security patch.

A simple workaround can be implemented to prevent LSASS.EXE from crashing. The following file must be created with Read-Only attribute set:


where %SystemRoot% is the Windows Directory (typically C:\WINDOWS or C:\WINNT).

Since the MS04-011 vulnerability is in a debug print code, if the debug log file can not be opened the vulnerable code part will not be executed.

As said, the F-Sasser tool now creates this file automatically when run.