This guide describes some of the possible causes that can lead to the appearance of the worm. Then you can try to fix this problem.
What To Do Now
Use the following free Microsoft software to detect and remove this threat:
- Windows defender for Windows 10 and Windows 8.1 or Microsoft Security Essentials for Windows 7 and Windows Vista
You should also do a full scan. A full scan can find other hidden malware.
Disable automatic execution
This threat attempts to use the Windows AutoPlay feature to propagate through removable storage devices such as USB drives. You can disable autorun to prevent worms from spreading:
- Disable Windows Autostart
Scan removable disk
Be sure to scan any removable or portable drives. If you have Microsoft security software, see this section on our software help page:
- How to scan a removable disk, such as a B. flash drive?
You can also find more help atour advanced troubleshooting page.
If you’re using Windows XP, see our Windows XP end of support page.
W32 / Sasser-G is a network worm that spreads using the Microsoft LSASS vulnerability.
W32 / Sasser-G also creates and runs SKYNET.CPL in the Windows folder, which Sophos recognizes as W32 / NetSky-AC.W32 / Sasser-G is a network worm that spreads using the Microsoft LSASS vulnerability.
The worm copies itself to the Windows folder as AVSERVE3.EXE and sets the following registry entry to start automatically when the user logs on:
HKLM Software Microsoft Windows CurrentVersion Run
avserve3 = avserve3.exe
W32 / Sasser-G tries to connect to random IP addresses on TCP / 445 and TCP / 9996 ports and then exploits LSASS vulnerability. If successful, the FTP script will be downloaded and run on a remote computer that connects to port 5554 to download a copy of the worm via FTP.
W32 / Sasser-G may cause the LSASS.EXE program to terminate, usually prompting Windows to shut down and restart. However, W32 / Sasser-G tries to prevent the system from shutting down.
W32 / Sasser-G tIt also creates and runs SKYNET.CPL in a Windows folder, which Sophos recognizes as W32 / NetSky-AC.