I'm in no danger of becoming an MVP,but here's SANS
Internet Strom Center take on this question,published
this morning:
A reader asked why we recommend a complete rebuild of
systems infected with 'sasser', given that 'sasser' is
rather benign and easy to clean.
The problem with 'sasser' is that it is an indicator
exploit. The fact that you are infected with 'sasser'
indicates that you were vulnerable to the LSASS exploit.
Before sasser, a large number of bot variants exploited
this same vulnerability. We find that many systems
infected with 'sasser' are infected with one or more bots
in addition to 'sasser'.
Each day, we receive several distinct 'bot' samples.
Antivirus signatures are typically not able to keep up
with all versions, and many 'bots' include specific code
to plant backdoors, disable firewalls and antivirus
products, or to add additional system accounts.
Antivirus software is not able to reliably detect and
clean all of these bots. As a result, it is impossible to
tell if any of these bots are left on your system. Only a
thorough (and costly) forensics analysis by a trained
specialist will provide some assurance.
As a result, if you are infected by 'sasser', try to
rebuild your system from scratch. For detailed
instructions on setting up a new system safely, see
http://www.sans.org/rr/papers/index.php?id=1298 (Windows
XP: Surviving the first day). If you acquire a new
system, assume it is not yet patched and use extreme care
the first time you connect it to the network.