sasser.exe

Sasser Worm (W32.Sasser)

WormDangerousNetwork Propagating Malware

CPU Usage

5-25% typical on infected host; spikes during propagation

Memory

10-60 MB

Location

C:\Windows\System32 or related temp drop sites

Publisher

Unknown / Malicious

Quick Answer

Sasser worm is dangerous. It is a network-spreading malware that exploits a Windows LSASS vulnerability to copy itself to other machines, causing reboots and widespread infection.

Is it a Virus?

✔ YES - Malware/Worm

Spreads autonomously across networks; not a legitimate system file.

Warning

Active propagation detected

Infected machines may reboot unexpectedly; isolate affected hosts.

Can I Disable?

✔ NO

Cannot be safely disabled by normal user settings; requires cleanup and patching of systems.

What is sasser.exe?

sasser.exe is the main executable used by the Sasser worm, a Windows network worm that infected Windows XP and Windows 2000 systems in the mid-2000s. It propagates by scanning for vulnerable hosts, exploiting a bug in LSASS to copy itself to remote machines, dropping payloads in System32 and triggering reboots to advance the infection.

Exploits a LSASS vulnerability to gain remote code execution and propagate via the network, using components like avserve.exe and avserve2.exe to drop and run payloads on new hosts.

Quick Fact: Sasser spread rapidly in 2004 by abusing a Windows LSASS bug, often causing unexpected reboots on infected machines.

Types of Sasser Processes

Main Worm Process: Orchestrates propagation and control of the infection.
Scanner Engine: Network scanning component that searches for vulnerable hosts.
Payload Dropper: Copies and deploys the payload on newly infected hosts.
Replication Manager: Manages copies like avserve.exe/avserve2.exe during propagation.
Reboot Controller: Triggers system reboot to complete infection on target machines.
Cleanup/Stealth: Attempts to minimize visible traces while propagating.

Is sasser.exe Safe?

No, sasser.exe is not safe as it is the executable for a worm that spreads across Windows networks.

Is sasser.exe a Virus or Malware?

The real sasser.exe is malware (a worm). However, malware sometimes disguises itself with similar names.

How to Tell if sasser.exe is Legitimate or Malware

File Location:: Check for sasser.exe in C:\Windows\System32\sasser.exe or C:\Windows\System32\avserve.exe. Any sasser.exe outside these folders is suspicious.
Digital Signature:: Right-click C:\Windows\System32\sasser.exe → Properties → Digital Signatures. Should not show a trustworthy Microsoft signature.
Resource Usage:: Unexplained CPU spikes or prolonged high usage during idle times is a red flag for malware.
Behavior:: Should not appear as a regular user process; look for abnormal network activity and reboot triggers.

Red Flags: If sasser.exe is located in unusual folders (<code>C:\Temp</code>, <code>AppData</code>), runs when Chrome/Explorer is closed, has no digital signature, or uses excessive resources continuously, scan with antivirus and isolate the machine. Watch for similarly named files like "sasser.exe" in non-system folders.

Why Is sasser.exe Running on My PC?

sasser.exe runs to propagate itself across networks and maintain control over infected hosts. It can start automatically and consume resources while scanning and spreading.

Reasons it's running:

Active Network Propagation: The worm actively scans nearby hosts to locate additional victims and copy itself to those machines.
LSASS Exploit Use: It exploits a Local Security Authority sub-system vulnerability to gain remote execution on other Windows systems.
Startup or Background Execution: Variants may attempt to run on startup or continue running in the background to sustain the infection.
Automatic Reboots: Infection often triggers reboots to finalize installation and reduce user interaction during propagation.
Low User Interaction: The worm is designed to operate with minimal user action, relying on automated network spread.

Can I Disable or Remove sasser.exe?

Yes, you can disable and remove sasser.exe, but only after disinfection. Isolating the machine, applying patches, and cleaning all infected files is required.

How to Stop sasser.exe

Disconnect Network: Unplug Ethernet, disable Wi‑Fi, and switch the machine to offline mode to halt propagation.
Run Antivirus: Update definitions and perform a full system scan; quarantine or delete any sasser-related files (sasser.exe, avserve.exe, avserve2.exe).
Stop Startup Entries: Check C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup for suspicious shortcuts named sasser.* and remove them.
Patch and Reboot: Apply all Windows security updates related to LSASS vulnerabilities and reboot after disinfecting.
Network Cleanup: Scan the network for other infected hosts and isolate them until remediation steps are applied.

Common Problems: Infection Symptoms and Remedies

If a machine is infected with Sasser, you may see rapid network activity, unexpected reboots, and high CPU/memory usage during propagation attempts.

Common Causes & Solutions

Rapid network scanning: Block outgoing connections on vulnerable ports (445/139) with a firewall; run a full antivirus scan.
Malicious startup entries: Remove sasser-related startup items from Startup folders and registry keys; check startup programs and scheduled tasks.
Outdated Windows: Patch Windows with the latest security updates and disable LSASS-related vulnerabilities for non-critical systems.
Unknown or corrupted AV signatures: Update antivirus to latest definitions and run offline scans from rescue media if needed.
Misleading benign processes: Verify processes in Task Manager; compare file paths to C:\Windows\System32 and look for avserve*.exe variants.
Multiple reinfections: Isolate entire subnet, disinfect each host, and re-segment network until all hosts are clean.

Quick Fixes:
1. Quick Fixes:
2. 1. Use Chrome-like Task Manager equivalent? Not applicable; instead run a trusted antivirus to identify sasser.exe and related components.
3. Disconnect from network to stop propagation.
4. Update Windows and LSASS-related protections.
5. Delete detected sasser.exe/avserve.exe/avserve2.exe files from System32.
6. Check and remove startup items in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and clear temporary folders.

Frequently Asked Questions

What is the Sasser worm?

Sasser is a network-worm that exploited a vulnerability in LSASS on Windows XP/2000 to propagate to other machines, often causing reboots and widespread infection.

Is sasser.exe a virus?

Yes. sasser.exe is the main payload of the Sasser worm and is not a legitimate system process.

How did Sasser spread?

It scanned for vulnerable Windows machines on the network, exploited LSASS, copied itself as avserve.exe/avserve2.exe, and forced remote execution on new hosts.

How do I remove Sasser from a PC?

Isolate the machine, update Windows, run a full antivirus/rescue scan, delete sasser-related files, and remove startup entries; then scan the entire network for infections.

Can Sasser still infect modern Windows machines?

Unlikely on up-to-date systems, but legacy networks with unpatched Windows 2000/XP machines remain at risk without proper patches and segmentation.

What Windows versions were affected by Sasser?

Sasser primarily affected Windows 2000 and Windows XP without current security updates.

Related Processes

lsass.exe

Local Security Authority Subsystem Service (LSASS) on Windows, the target of Sasser exploitation.

avserve.exe

Payload dropper used by Sasser to propagate and execute on remote hosts.

avserve2.exe

Secondary component used during propagation by the Sasser worm.