W32.Sasser.D can only execute on Windows XP systems. The worm can exploit a vulnerable (unpatched) Windows 2000 machine remotely and copy itself to that machine. However, it will exit before running any code. In such cases, this worm will produce the following error:
The procedure entry point IcmpSendEcho could not be located in the dynamic link library iphlpapi.dll.
Block TCP ports 5554, 9995, and 445 at the perimeter firewall and install the appropriate Microsoft patch (MS04-011) to prevent the remote exploitation of the vulnerability.
This threat is written in C++ and is packed with PECompact.
Removal: install the patch, remove from startup by antivirus (also check How To Remove section)Startup Optimizer.