Sasser seems to be alive and well, here is some information that you may
Based on the information at the Symantec link:
- Blocking destination tcp ports 5554 and 9996 at the routers will stop
the payload being transferred across network segments. (5554 appears to
be the content transfer channel (FTP), 9996 is the remote shell used to
run commands on a host).
- Deploying an IPSec policy with filter actions for Block on port 5554
and 9996 can be used to block the transfer of the payload to or from
individual hosts. Blocking inbound 445 is also possible, but may cause
problems depending on your specific requirements re File and Print
sharing on clients. NB This is a technique to limit the spread of the
virus, not to mitigate the vulnerability.
Group Policy deployment of the removal tool has not been tested to my
- When assigned to a computer, the package is executed using a Local
System logon, so shouldn't encounter any permissions issues.
- The cleanup tool fails if the MS04-011 hotfix is not installed.
- Group Policy does not guarantee an order of completion for assigned
- If the package runs unsuccessfully, it may not be run again by the
software deployment engine; instead, consider using MSI to get the
cleanup tool onto the workstations and a computer startup script to
execute the tool.
- Our typical suggestion is to install MS04-011, reboot, then run the
cleanup tool; GP software deployment may not be able to accomplish this
in a single step.
Show replies by date