Hi All,
 
Sasser seems to be alive and well, here is some information that you may find useful.
 
--
Based on the information at the Symantec link:
- Blocking destination tcp ports 5554 and 9996 at the routers will stop the payload being transferred across network segments. (5554 appears to be the content transfer channel (FTP), 9996 is the remote shell used to run commands on a host).
- Deploying an IPSec policy with filter actions for Block on port 5554 and 9996 can be used to block the transfer of the payload to or from individual hosts. Blocking inbound 445 is also possible, but may cause problems depending on your specific requirements re File and Print sharing on clients. NB This is a technique to limit the spread of the virus, not to mitigate the vulnerability.
--
Group Policy deployment of the removal tool has not been tested to my knowledge, but:
- When assigned to a computer, the package is executed using a Local System logon, so shouldn't encounter any permissions issues.
- The cleanup tool fails if the MS04-011 hotfix is not installed.
- Group Policy does not guarantee an order of completion for assigned packages.
- If the package runs unsuccessfully, it may not be run again by the software deployment engine; instead, consider using MSI to get the cleanup tool onto the workstations and a computer startup script to execute the tool.
- Our typical suggestion is to install MS04-011, reboot, then run the cleanup tool; GP software deployment may not be able to accomplish this in a single step.