Neal's Admin.Notes.

Maybe cause its my boredom at work or my thirst to be challenged and desire to learn as well.

Kerberos works by way of exchanging encrypted tickets between machines.

This scenario shows how Kerberous was designed to work ;

User first logs in directly (not over the network) to a Kerberized desktop computer that is in the DC.ADMINNOTES.COM realm.
User requests authentication for the DC.ADMINNOTES.COM realm, and must enter his or her Kerberos password.
Behind the scenes: Kerberos software installed on the desktop is used to derive a key from the password. This key is used to encrypt the exchanges between the local machine and the (remote) KDC in order to achieve authentication. The password is not transmitted between the two machines.
When authentication is complete, user gets a "ticket" (also called a "credential") from the KDC.
The user can now connect over the network to other Kerberized hosts without entering his Kerberos password again. Without entering ANY password, in fact! Kerberos negotiates the authentication for each login using the ticket, all behind the scenes.

With the introducion of Windows 2003, Kerberos Authentication has changed, alot , and for the better.
Normally, a computer account is required for Kerberos authentication. A user must obtain a service ticket for the computer in order to gain access to the computer's resources. Without this user-to-host authentication, the host computer must perform access control based on mapping the user name to a name that it maintains in its local account database. The user must run KSETUP to set up a local mapping.
In Windows 2000, the KDC selects the first encryption type. In Windows Server 2003, the KDC selects the strongest encryption type supported by the client.
Key version numbers are an optional part of the Kerberos specification. They may be included as part of the Kerberos encrypted data when that data is encrypted with a long-lived key. Windows Server 2003 introduces the use of key version numbers
This means that the KDC will not issue a service ticket for an account that does not have an SPN (such as a user account). The motivation for this is that it would make it easier to mount an offline dictionary attack against a service if that service were just a user account with a human-generated password. For an account that does not have an SPN, the KDC will return an error indicating that User-2-User is required
In the past, SPNs were canonicalized to the Security Accounts Manager (SAM) account name (for example, mycomputer$). This caused problems when a user requested a service with a non-canonical name—the system was unable to detect that it had a cached ticket for a service and thus would request a new service ticket. Now, the solution is to just use the SPN that was requested (with no name canonicalization).

Can you ge more info from Microsoft here:
http://www.microsoft.com/security/incident/sasser.asp

You can also try these removal tools:
Symantec's removal tool

Network Associates removal tool

Or you could try removing it manually:

1. End the malicious process.
2. Disable System Restore (Windows Me/XP).
3. Update the virus definitions.
4. Run a full system scan and delete all the files detected as
W32.Sasser.Worm.
5. Reverse the change made to the registry.

For details on each of these steps, read the following instructions.

1. To end the malicious process
To end the malicious process:
a. Press Ctrl+Alt+Delete once.
b. Click Task Manager.
c. Click the Processes tab.
d. Double-click the Image Name column header to alphabetically sort
the processes.
e. Scroll through the list and look for the following processes:
- avserve.exe
- any process with a name consisting of 4 or 5 digits
followed by _up.exe (eg 74354_up.exe).
f. If you find any such process, click it, and then click End
Process.
g. Exit the Task Manager.

2. To disable System Restore (Windows Me/XP)
If you are running Windows Me or Windows XP, we recommend that you
temporarily turn off System Restore. Windows Me/XP uses this feature, which
is enabled by default, to restore the files on your computer in case they
become damaged. If a virus, worm, or Trojan infects a computer, System
Restore may back up the virus, worm, or Trojan on the computer.

Windows prevents outside programs, including antivirus programs, from
modifying System Restore. Therefore, antivirus programs or tools cannot
remove threats in the System Restore folder. As a result, System Restore has
the potential of restoring an infected file on your computer, even after you
have cleaned the infected files from all the other locations.

Also, a virus scan may detect a threat in the System Restore folder even
though you have removed the threat.

Windows XP:
1.. Click Start > Programs > Accessories > Windows Explorer
2.. Right-click My Computer, and then click Properties.
3.. Click the System Restore tab.
4.. Check the "Turn off System Restore" or "Turn off System Restore on all
drives" check box.
5.. Click Apply.
6.. This will delete all existing restore points. Click Yes to do this.
7.. Click OK.
8.. Proceed with what you need to do.
----------------------------------------------------------------------------
----
Note: When you are completely finished with the removal procedure and are
satisfied that the threat has been removed, re-enable System Restore by
following the instructions in reverse
----------------------------------------------------------------------------
----

3. Update your Virus Definitions from NAI or Symantec

4. Scan and delete the infected files -

Run a full system scan.
If any files are detected as infected with W32.Sasser.Worm, click Delete.

5. To reverse the change made to the registry

a. Click Start, and then click Run. (The Run dialog box appears.)
b. Type regedit

Then click OK. (The Registry Editor opens.)

c. Navigate to the key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

d. In the right pane, delete the value:

"avserve.exe"="%Windir%\avserve.exe"