In case anyone has any need for this, I made a batch file for cleaning the
Sasser Worm, using the MS-supplied Sasser Cleaner for Win2K and WinXP
machines. The Batch file also patches the Sasser-infect system with MS04-11.
Required 3-rd party - PSKILL and PSLIST (
http://www.sysinternals.com/ntw2k/freeware/pstools.shtml)
Required MS - Windows-KB841720-ENU.exe (this is the cleaner and available for
download here http://www.microsoft.com/security/incident/sasser.asp)
WindowsXP-KB835732-x86-ENU.EXE - (MS04-11 for WinXP)
Windows2000-KB835732-x86-ENU.EXE - (MS04-11 for Win2K)
WindowsServer2003-KB835732-x86-ENU.EXE - (MS04-11 for
Win2K3)
I hope this helps someone.
Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
@echo OFF
If NOT exist c:\SasserCleaner Call :AbEnd
Set SCRIPTPATH=c:\SasserCleaner\
rem Set local scope and call MAIN procedure
setlocal & pushd & set RET=
set SCRIPTNAME=%~n0%~x0
set SCRIPTPATH=%~d0%~p0
if "%DEBUG%" GEQ "1" (set TRACE=echo) else (set TRACE=rem)
if /i {%1}=={/help} (call :HELP %2) & (goto :HELPEXIT)
if /i {%1}=={/?} (call :HELP %2) & (goto :HELPEXIT)
call :Do_setDummyFile
call :Do_Kill
call :Do_GetVer
call :Do_Clean
call :Cleanup_task
:HELPEXIT
popd & endlocal & set RET=%RET%
goto :EOF
rem /////////////////////////////////////////////////////////////////////////
rem HELP procedure
rem Display brief on-line help message
rem
:HELP
if defined TRACE %TRACE% 2 [proc %0, v1=%v1%, SCRIPTPATH=%SCRIPTPATH%]
rem Put help message here...
goto :EOF
rem /////////////////////////////////////////////////////////////////////////
:Do_setDummyFile
echo Doing Creating Dummy File so Sasser does not reinfect while we are removing it
CD %SCRIPTPATH%
echo dcpromo >%systemroot%\debug\dcpromo.log
attrib +R %systemroot%\debug\dcpromo.log
goto :EOF
:Do_Kill
echo Killing Sasser Processes
for /f "tokens=1 delims= " %%a in ('%SCRIPTPATH%pslist^| find /i "_up.exe"') DO pskill
%%a
for /f "tokens=1 delims= " %%a in ('%SCRIPTPATH%pslist^| find /i "avserv"') DO pskill
%%a
for /f "tokens=1 delims= " %%a in ('%SCRIPTPATH%pslist^| find /i "skynetave"') DO
pskill %%a
for /f "tokens=1 delims= " %%a in ('%SCRIPTPATH%pslist^| find /i "hkey.exe"') DO
pskill %%a
for /f "tokens=1 delims= " %%a in ('%SCRIPTPATH%pslist^| find /i "msiwin84"') DO
pskill %%a
for /f "tokens=1 delims= " %%a in ('%SCRIPTPATH%pslist^| find /i "wmiprvsw.exe"') DO
pskill %%a
goto :EOF
:Do_GetVer
Echo Determining your version of Windows
FOR /F "TOKENS=3* DELIMS= " %%A IN ('REG QUERY "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion" /v ProductName^| find /i "microsoft" ') DO SET v1="%%A %%B"
If %v1%=="Microsoft Windows Server 2003" Echo "Windows 2003"& goto :Win2K3
If %v1%=="Microsoft Windows XP" Echo "Windows XP"& goto :WinXP
If %v1%=="Microsoft Windows 2000" Echo "Windows 2000"& goto :Win2K
goto :EOF
:WinXP
Echo Installing the MS Patch for Sasser -Windows XP Version
%SCRIPTPATH%WindowsXP-KB835732-x86-ENU.EXE /passive /norestart /o
goto :EOF
:Win2K
Echo Installing the MS Patch for Sasser -Windows 2000 Version
%SCRIPTPATH%%SCRIPTPATH%Windows2000-KB835732-x86-ENU.EXE /passive /norestart /o
goto :EOF
:Win2K3
Echo Installing the MS Patch for Sasser -Windows 2003 Version
%SCRIPTPATH%WindowsServer2003-KB835732-x86-ENU.EXE /passive /norestart /o
goto :EOF
:Do_Clean
Echo Cleaning Sasser with Microsoft Sasser-Removal Tool
%SCRIPTPATH%Windows-KB841720-ENU.exe /passive /norestart /f /o
goto :EOF
:Cleanup_task
Echo Cleaning up and removing our installation Files
C:
cd\
Echo Process completed. Please reboot now
Echo .
Echo Please reboot your computer now
pause
Echo Please REMEMBER TO REBOOT YOUR COMPUTER NOW!!!
pause
rmdir %SCRIPTPATH% /S /Q
:AbEnd
Echo The folder C:\SasserCleaner was not found
Echo Please create this folder and exctract the Cleaner to it
Echo I can not continue......
pause
Exit
