XenonStack Recommends

Security Intelligence

Sasser Virus: Affecting Computers with Windows XP and Windows 2000

Parveen Bhandari | 16 Aug 2022

Sasser Virus

What is Sasser Virus?

Sasser worm was discovered in April 2004. It is a member of the W32—Sasser family of self-executing worms.
This virus is a computer worm that targets MS operating systems like Windows XP and Windows 2000. The Sasser worm sends data by using a network port. It can spread to a large number of computers quickly. The Sasser worm attacks computers over TCP port (445). However, some Microsoft researchers believe it might use port 139. Without human intervention, this worm can spread from one computer to another Machine.

How does Sasser Virus work?

When a susceptible machine is discovered, a worm on the worm will attempt to exploit the LSASS buffer overflow vulnerability by sending a shellcode to the target computer. After being exploited, the LSASS process may crash, causing Windows to display an alert and shut down the system. On port 9996, a remote shell is launched.
The worm checks various IP addresses before connecting to victims' computers via TCP port 445. It Creates and runs a script file titled cmd.FTP on the target computer, which forces the target machine to download Sasser from the infecting computer's worm-created FTP server. The worm will be saved in the system directory. The downloaded program will be named _up.exe, followed by four or five random integers.

The presence of the files (C:WIN.LOG or C:WIN2.LOG) on a computer's hard disc and seemingly random crashes with LSASS.EXE on the screen caused by the worm's defective coding, are indicators of the worm's infestation. The shutdown timer that shows when the worm crashes LSASS.exe is the most prevalent indication of the worm.

Sasser copies itself to the Windows directory and names it:

  • AVSERVE.EXE Sasser. a
  • AVSERVE2.EXE Sasser. b

What were the Effects of the Sasser Virus?

It shuts down Agency France-Presse’s satellite communications systems for several hours.
Delta Airlines was forced to cancel several trans-Atlantic flights as a result.
The University of Missouri's network had to be disconnected from the Internet.
For several hours, the British Coastguard's electronic mapping function was unavailable.

Cyber Security Services
End-to-End Proactive Solutions for empowering Advanced Threat Protection and Intelligence with Real-Time Analytics, Cyber Security Services

How to Prevent Sasser Virus Attack?

Here are some simple instructions for removing the Sasser virus.
Disconnect your computer from the internet.
Track down and stop the worm: At the exact moment, press the keys "Ctrl+Alt" and "Del." This will start Windows Task Manager. Select the tab "Processes." Look for an "aserve.exe" or "*_up.exe" file. Select one of these files and click the "End Process" button if you see one of these files. When it asks for confirmation, select "yes."
Find and eliminate the worm: Choose "Search" from the "Start" menu in the bottom left corner of your screen. Search your entire computer for the files "avserve.exe" and "*_up.exe" (in the field next to the "all files and folders" option). Delete any files that match.

  • Enable the firewall on your computer.
  • Use up-to-date antivirus software.
  • Use a strong password.
  • Search window updates. Let the site scan your computer and apply any critical update.

If your system continues to try to restart, follow these steps:

  • Click on the start button.
  • Choose "Run" from the list of options after clicking the "Start" button in the bottom-left corner of your screen.
  • "cmd.exe" should appear.
  • Type "shutdown -a" into the cmd prompt when it appears.

This should bring the reboot process to a halt.


To infect the computer, the attackers used multiple methods. The infected machine may appear to be functioning normally, and it isn't easy to identify. The Sasser worm has spread widely due to three factors: a lack of security upgrades, wrong password settings, and running vulnerable versions of the Microsoft operating systems Windows XP and Windows 2000. Roughly 30% of machines have not installed the security patch. Among the countries with the highest infection rates, China, Russia, and India are reported to have a severe problem with pirated software. The security patch for the pirated version of Windows cannot be applied automatically to correct the vulnerability. In recent years, infection of the Autorun virus via external storage has become a popular infection method.

Click here to explore more critical Viruses and their Remediations