Download the patch from Microsoft site. Here are the links: Windows XP or Windows 2000/2003.

Install the patch, then download Symantec’s Sasser Removal Tool.

The tool will:

1. Terminates the W32.Sasser viral processes.
2. Deletes the W32.Sasser files.
3. Deletes the registry values that the worm adds.

Restart your computer in safe mode, run FxSasser.exe. After that boot up normally and run the tool again to ensure that the virus is totally gone.

Note: I did not tried the above steps because I do not have an infected PC to try on. But based on logic and common sense, it should work.

How to Tell If Your Computer Is Infected
If your computer is infected with W32.Sasser.worm, you may see a dialog box with text that refers to LSASS.exe. Some customers whose computers have been infected may not notice the presence of the worm at all, while others who are not infected may experience problems because the worm is attempting to attack their computer. Typical symptoms may include systems rebooting every few minutes without user input.

For more information on this virus and how to remove/prevent it, visit this Microsoft site.

To have enough time to do so, you need to disable the shutdown of Windows by any application. Go to Run, type “shutdown -a” without the quotes.

The variant began spreading early Tuesday Eastern time, and by 9 a.m. Tuesday, MessageLabs Inc. had stopped more than 10,000 copies. The virus size is approximately 73 KB, and the attachment that actually contains the malicious code can carry any one of a number of names, according to iDefense Inc., a security company based in Reston, Va. Among the file names seen so far are:

» application.pif
» document_all.pif
» details.pif
» document_9446.pif
» movie0045.pif
» thank_you.pif
» your_details.pif
» your_document.pif
» wicked_scr.scr

The subject line of the e-mail message that carries the attachment is also randomized, and many of the subjects are similar to previous SoBig variants. They include:

» » Re: Details
» Re: Approved
» Re: Re: My details
» Re: That movie
» Re: Thank you!
» Re: Your application
» Re: Wicked screensaver
» Thank you!
» Your details

SoBig.F installs a copy of itself in the Windows registry, in a file named “winppr32.exe.” MessageLabs lists the worm as originating in the Netherlands, and its statistics show that SoBig.F has spread mainly in that country and Norway at this point. However, that is likely to change as workers in North America begin checking their e-mail Tuesday.

Some facts:

» “This is local clogging as opposed to worldwide Internet clogging,” Kuo said. “There are many areas of local pain.”
» The MSBlast variant, Nachia, infects computers using the same widespread vulnerability in Microsoft Windows that previous versions of the worm exploited. The program then downloads a patch to protect systems against future infections of the MSBlast worm.
» While the intentions of the unknown worm writer seem to have been good, its aggressive spread has clogged many networks.
» “It’s faster,” Kuo said. Previous versions of MSBlast tried to spread to 20 different network addresses at a time but had to wait for each attempt to fail if no computer was at that address. The Nachia variant tries to spread to 300 different address at a time and doesn’t wait, letting it spread very fast.
» The latest version of the SoBig mass-mailing computer virus also caused headaches for network administrators. E-mail service provider MessageLabs stopped more than 100,000 messages carrying the latest virus in the first few hours of the attack.

Source From ieXbeta

1. Go to Start, Run and type in shutdown -a. This will cancel the shutdown attempt
2. Patch Your System with the appropriate MS03-026 Patch
3. After Installation of the Patch, Reboot your system.
4. Download and run “FIXBLAST.exe” to remove the MSBLAST.exe file, terminate the process and remove added registry keys by the worm.
5. Reboot your pc one last time.
6. Visit WindowsUpdate.com more often and take note of our repeated warnings to keep your system updated.

User’s should block access to TCP port 4444 at the firewall level. User’s should also block the following ports, if they do not use applicaitons listed:

» TCP Port 135, “DCOM RPC”
» UDP Port 69, “TFTP”

Direct Links:

» Windows 2000 English Patch (MS Site)
» Windows XP English Patch (MS Site)

» Windows 2000 English Patch (Mirrored)
» Windows XP English Patch (Mirrored)

» FixBlast – W32.Blaster.Worm Removal Tool

» Symantec Security Response – W32.Blaster.Worm Removal Tool

» Microsoft Security Bulletin MS03-026

Always keep your Windows Updated.

» Infection Length: 6,176 bytes
» Systems Affected: Microsoft IIS, Windows 2000, Windows NT, Windows XP
» Systems Not Affected: Linux, Macintosh, OS/2, UNIX

Basically, what the virus does is it will auto restart your Windows after a certain time.

Fixes:

» Symantec Security Response – W32.Blaster.Worm Information (Removal)
» Microsoft Security Bulletin (Patch)

It is recommended that all users get this fixed as soon as possible.

*Update* I have mirrored the Microsoft patch on this server. If it is illegal inform me and I will remove it immediately.

» WinXP English Patch
» Win2K English Patch

*Disclaimer* Download at your own risk, I will not hold any responsibility if there is anything wrong with your computer after installing it.