Sasser Incident at UVa

U.Va., as well as the rest of the world, is currently dealing with very serious, multiple types of attacks against computers using Microsoft Windows XP, Windows 2000, Windows NT, and Windows Server 2003. The Sasser worm behaves much like last year's Blaster worm, in that it attacks computers via the network and not email. This similarity causes Sasser to be reported as Blaster on our security scans. If we detect your machine has been infected with Sasser, it will be blocked from the Internet to prevent it from infecting other machines. Check if your computer has been blocked. If your machine is reported on the list as MS-RPC.Blaster, you should follow the troubleshooting instructions below. If your computer is not listed, it MAY be infected but not showing up yet: our list is refreshed every 15 minutes, so you should wait and check again. If your computer is still not listed, contact the Help Desk at 924-3731 or consult@virginia.edu, as you may be experiencing a different network problem.

Troubleshooting a Blocked Machine (Reported as MS-RPC.Blaster)

  1. Determine if your machine is infected by Sasser or Blaster
    1. Update your Norton Virus Definitions (available on Software Central)
    2. Disconnect your computer from the network
    3. Run a manual scan of your harddrive
    4. If Norton identifies files with Sasser, continue to Step 2 below
    5. If Norton identifies files with Blaster, directions are available at our DCOM site
  2. Delete files identified as Sasser by Norton (located in the Quarantine area of Norton Antivirus)
  3. Windows XP, turn on your firewall. Other versions, download appropriate patches with another machine before continuing.
  4. Reconnect your computer to the network
  5. Download the Microsoft MS04-011 Patch (available on Software Central)
  6. Disconnect your computer from the network
  7. Install the patch
  8. Reboot your computer, if the patch does not do this for you
  9. Run another Norton scan of your harddrive
  10. Delete files identified as Sasser by Norton (located in the Quarantine area of Norton Antivirus), if any
  11. Reboot your computer
  12. Reconnect to the network
  13. Unblock your computer's internet access (you may ignore the instructions and click on the Enter button at the bottom)
  14. Run Windows Update and apply all critical updates listed
  15. Go to Microsoft's Sasser's incident site and follow Step 3 to clean the remnants of Sasser off your computer
  16. Your computer should now be clean. If you experience any additional problems, contact the help desk at 924-3731 or consult@virginia.edu.

© 2009 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.