SASSER VIRUS INFO - lsass.exe terminates with an error code

  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

I must admit I don't know the full info on this virus, but have seen a similar problem to yours today....

I was working on a poor guys computer who had got this over the weekend. When I arrived his machine was in a constant reboot loop (I.E. it crashed & burnt before even hitting the desktop. Safemode was screwed too!). He told me of a system message he got earlier regarding LSASS.exe so I pretty much guessed it was Sasser virus. Because of the reboot loop I had to use a disc to load the machine (I use the excellent ERD commander by Winternals) this allowed me to run the Symantec tool, and sure enough I found 18 (!) copies of the virus.

Unfortunately even with all of the above, his machine was still constantly rebooting. I tried a few more things but in the end had to rebuild the OS. Even tried an 'in place upgrade' to keep his settings but that did the same thing! Man this virus can suck! :evil:

I can only guess that perhaps there is some destructive element of Sasser that can occur that maybe wrecks lsass.exe?? Its a pretty essential service.

S
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

Eeeesh. I'd hate that to happen to my computer. *grabs CPU and holds it protectively*

Is there any word on who's coming out with the miracle fix to kill this thing? If it's anyone, it ought to be Microsoft. Grar. Silly MS.
  • -DaVinci-
  • Born
  • Born
  • -DaVinci-
  • Posts: 1

Post 3+ Months Ago

Im having the same problem I have the virus as well, right now I have ME installed should I install XP then get rid of the virus or get rid of the virus then install?? :shock: dam virus :evil:
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

If you intend to install XP anyway, installing it will basically give you the option to format your drive. That will nix the virus and all the other files on your computer, so do a backup first if you can, (but may not prevent you from getting it again). Windows XP does come with a built in firewall. In my opinion, it's not the best I've seen, but at least it is one. You access it by going to network properties on your network connection and clicking the advanced tab. If I recall the option will be there. (Sorry if that's not 100 percent right that's from memory.)

If you do install XP, make sure your first step after your driver and chipset install is to download the current critical updates. Those should include the updates that will reduce the risk of the sasser exploitation of the lsapp vulnerability.
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

The best firewall i ever tested while gaming, surfing on the net was the Built In firewall in my AV, PC Ciliin internet Security 2004...

When i use the Direct Connection option for the firewall, and test my PC with the Norton Security Response web, my PC is Stealth all the way, and games never lag, not a bit, and dont even drop connection.

This is why i hate Zonealarm..its good at what it does, but a bit TOO good that you have to drop the protection to be able to play games or upload to a web etc...
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

If you want to check how open you are Gibson Research offers a good free firewall check on their site (as well as many handy freeware programs for security etc). Go here:

http://www.grc.com

..and browse down to 'Shields up' in the hotspots area. Note that if you do have a firewall such as Zonealarm, it will go crazy whilst you scan your machine as, as far as its concerned its under attack! Do not be alarmed if you get these messages!. The common ports test is probably the best for most purposes, but it can scan all the standard <1056 ports.

Also another good tool to see if you have open ports is TCPView by Sysinternals. They make some really good freeware utilities that dont even need installing!:

http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Be warned though that tpcview isnt of the faint of heart & it wont mean much unless you know what your looking for. Also remember that these are the open ports on your machine. If your behind a hardware or software firewall then you will still be protected!.Its just handy for spotting ports that a lot of viruses leave open these days.

S
  • FunkerMitis
  • Born
  • Born
  • FunkerMitis
  • Posts: 4

Post 3+ Months Ago

OK I'm having a huge problem. I know it's Sasser, because the computer just keeps rebooting. Uhh, I can't even get into Windows with Safe mode before it reboots itself. When the whole warning thing came out, Microsoft refused to let me download a security update. No, my XO is not cracked. Microsoft is just a bunch of bastards. Their Sesser help line doesn't even work.

Uhh... Anyway this began two nights ago when I got back from work. The computer screen was completely frozen, and when I rebooted the computer it just kept restarting. PLEASE tell me I don't have to wipe my system..... Thanks.
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

umm sorry, but yes the only resolve I found to this was a rebuild (when it goes into this nasty reboot loop and you cant even get to the desktop)

See my post above on all the things I tried when it did this. Hoping someone can suggest something better though!

S
  • FunkerMitis
  • Born
  • Born
  • FunkerMitis
  • Posts: 4

Post 3+ Months Ago

*shudder* I'm an artist, and I'll be hideously screwed if I have to wipe the computer, but if I absolutely have to, I'll do it.... Thanks for the suggestion, every little bit of advice is appreciated!
  • FunkerMitis
  • Born
  • Born
  • FunkerMitis
  • Posts: 4

Post 3+ Months Ago

This may be far fetched, but I am able to boot the computer from the CD drive using BIOS and all that wonderful stuff.... If I, perhaps, wrote a CD with something that could get rid of Sasser, would that MAYBE work? I just rolled out of bed and have devoted this whole day to figuring this out........
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

What your suggesting may work *if* you knew what was wrong with Windows - I.E. which files are corrupted or whatever the problem is. I was unable to do this so good luck!

Whats the problem with rebuilding? Loss of data I take it? If you can get a program similar to ERD commander (http://www.winternals.com) to access the files then you can maybe copy them to floppy or something? The data itself should be there still, its just windows thats dead. Its just getting at it that can be fun!

Another idea if you have a spare hard disk would be to replace your current hard drive with that, load Windows onto it, then attatch your old virused drive as a slave, and copy all the data off that way. Then once you have the data backed up you can rebuild the first hard driveno probs!

S
  • FunkerMitis
  • Born
  • Born
  • FunkerMitis
  • Posts: 4

Post 3+ Months Ago

Yeah I'll look into getting that program, because my artwork is sorta crucial to everything.... GRRR to digital art heh.... I'll see about creating a system backup and everything. Thanks for the help!
  • Joyous
  • Newbie
  • Newbie
  • Joyous
  • Posts: 8

Post 3+ Months Ago

For the record, in case anyone didn't know, typing shutdown -a in run will stop the shutdown process.

Was very helpful when i'm trying remove the stupid thing, giving yourself a minute isn't very useful. ;)

For the record, when i first tried to remove it, i was heading here..

http://support.gateway.com/s/issues/2-976684501.shtml

I was under the impression it was the blaster worm, until I figured out that lsass.exe was causing it all the time.

I'm not sure if anyone has posted a good link for it yet (haven't read 100% of the thread :D ), but here's the one i used.

http://securityresponse.symantec.com/av ... .worm.html

http://emblems.utopiatemple.com/pic21371.jpg

As you see, it worked for me. Hopefully it helps you folks. :)
  • Joyous
  • Newbie
  • Newbie
  • Joyous
  • Posts: 8

Post 3+ Months Ago

As of the update, squeaky clean and working fine, as it did before the stupid sasserworm.

Don't worry about making cds or anything silly for it, it's really not neccessary. Just check out symantec's site, grab the fix, and patch it up (after running shutdown -a, or you'll never have time to do it ;) )
  • mercerm
  • Born
  • Born
  • mercerm
  • Posts: 1

Post 3+ Months Ago

After I connect to the internet (dial-up), I will soon get a message saying that the system is shutting down by NT AUTHORITY/SYSTEM. I get 60 seconds and it cuts off, it says by lsass.exe or something. When I run Norton anti-virus, it picks up the welchia virus and the backdoor.sdbot virus. Norton was unable to to delte or quarantine, it kept failing.
I found a welchia virus tool that took it off, but I can't get rid of this backdoor.sdbot virus, norton says it's located in windows/system32/system32.exe.

I can't delete it and I tried to in regular and safe mode.

I really would appreciate someone giving me step by step to get rid of this thing.

Last night i used the run: shutdown -a, and downloaded all the current critical updates from microsoft, like 13 of them and then turned my computer off. Help me please!
  • Joyous
  • Newbie
  • Newbie
  • Joyous
  • Posts: 8

Post 3+ Months Ago

What on earth? Welchia has nothing to do with the lsass exploitablity.. it sounds like your computer has a lot of problems :(

Ok, here's my suggestion on what to do..

#1: If welchia is gone, then check out :

http://securityresponse.symantec.com/av ... sdbot.html
http://www.pestpatrol.com/pestinfo/b/ba ... %20Removal

Get rid of the backdoor, if nothing else, adaware or other generic removal programs might even work on it.

#2: Restart your computer, if the window pops up use shutdown -a and follow the link that i posted in the last post to get rid of your lsass problem.

#3: Restart your computer again, and be happy. (Unless you have random other viruses? ;) )
  • Joyous
  • Newbie
  • Newbie
  • Joyous
  • Posts: 8

Post 3+ Months Ago

Oh! And of course, the most important part.

http://www.microsoft.com/downloads/deta ... laylang=en

Get that patch, and apply it.

You'll be safe from sasser. :)
  • meteorogold
  • Born
  • Born
  • meteorogold
  • Posts: 1

Post 3+ Months Ago

hi, i have a seaget personal firewall, and its has bing the only way to stop the turining off my computer. what else can i do!!! to romove sasser ., que mas no se que hacer!! :(
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Hola que tal?

(its the only spanish i know :P )
Check out the specific details for removal instrunction in this topic, but i'll make it a little bit easier...
APPLY THE MICROSOFT PATCH (MAS IMPORTANTE)
and then get a removal tool for Sasser
  • zoolander
  • Born
  • Born
  • zoolander
  • Posts: 4

Post 3+ Months Ago

so i removed the worm with the removal tool and installed the MS patch, but now i can run my Liveupdate or load up the symantec website. i'm thinking the worm caused this. does anyone know how to fix this problem???
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Quote:
so i removed the worm with the removal tool and installed the MS patch, but now i can run my Liveupdate or load up the symantec website. i'm thinking the worm caused this. does anyone know how to fix this problem???


???
you can or you can't?
if you can't, then reinstall your NAV...
  • zoolander
  • Born
  • Born
  • zoolander
  • Posts: 4

Post 3+ Months Ago

doh sorry typo. i meant i can't. i've already tried reinstalling :(
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Sorry, but i dont think sasser attacks or tries to disable AVs...
Can you tell me if Sasser rebooted your PC a LOT of times?
This might have affected windows stability...so you might consider reparing it...and resinstall all the patches...
And if its only Norton that is not installing, i heared from some people that they had some problems installing it on their machines (up to 3 or 4 tries before it worked so...)
  • FireFox
  • Born
  • Born
  • FireFox
  • Posts: 1

Post 3+ Months Ago

Hi all. :?

Ok Can this file Lsass.exe realy be moved from your system.??

I did everythink to get rid of it, scanned with Trojan scanners, Virus utils, ect,ect, i later decided to do another format, anda New Fresh re-install of XP.

When i got XP onto the system, i downloaded the Trojan Tools and Virus Killers Again and did another scan, and guess what, it was found on my system again, how i dont know why.. i found the file in Windows/system32/ directory...

Only way to get rid of this file is to do a Safe Boot mode, and goto that direcory and delete it, as you cant delete it in normal windows mode.!!

But i still like to know that after formatting my drive 2 times and doing a fresh re-install this poxy file was still here.. i enven scanned my CD's and did'nt find it, so i can only think that it must automaticly download itself sectrectly when your first login to the internet, OR it dont get cleaned by any Antivirus or Trojan cleaners..

Any input would be gratefull.

Firefox. 8)
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

A 4 page input...

PATCH YOUR WINDOWS WITH WINDOWS UPDATE
http://www.ozzu.com/ftopic24247.html
  • zoolander
  • Born
  • Born
  • zoolander
  • Posts: 4

Post 3+ Months Ago

Ragnar78 wrote:
Sorry, but i dont think sasser attacks or tries to disable AVs...
Can you tell me if Sasser rebooted your PC a LOT of times?
This might have affected windows stability...so you might consider reparing it...and resinstall all the patches...
And if its only Norton that is not installing, i heared from some people that they had some problems installing it on their machines (up to 3 or 4 tries before it worked so...)


i've read that 1 of the symptons of this worm is that it prevents you from reaching AV sites like symantec. but anyways, i tried these instructions that i found elsewhere:

-----------------------------------
Open the "Hosts" file in notepad and delete eveything in there apart from this line:

127.0.0.1 localhost
-----------------------------------

and there was this big list of AV sites that included symantec and f-secure, so i deleted all those entries and i could reach symantec finally but my liveupdate still wouldn't update. uninstall and reinstall my AV but no luck. did a reboot and i was back to square one...couldn't get to symantec again. looked into the hosts file and saw that list in there again! i deleted the entries again and uninstalled my symantec corp edition AV and surfing to those sites was fine. i rebooted my xp and same problem again. so it looks like to me there's some file(s) still on my system causing the problem...anybody managed to fix this problem??
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Zoolander. Turn off system restore and try again.
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

FireFox:

We already addressed the issue of whether lsass.exe can be deleted. Once again: the Sasser worm targets a vulnerability in lsass.exe. It's not lsass.exe itself that's causing the problem. It's actually a critical system process.

Next time, please read more carefully and ask for clarification if you don't understand. :wink:
  • zoolander
  • Born
  • Born
  • zoolander
  • Posts: 4

Post 3+ Months Ago

ATNO/TW wrote:
Zoolander. Turn off system restore and try again.


i turned off my system restore when running the removal tool and it's still off. any other suggestions?
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Well, I only had to fix one computer with this worm. Unfortunately , there were two other viruses on the machine. All I did was follow the instructions exactly and used the removal tool for all three (fortunately all three had a removal tool.

The only thing I did different that I don't believe was recomended or suggested as far as I could see was turn on XP's firewall before connecting to the internet again.

I made the assumption that if the perpetrator of the virus had my IP, then the machine was apt to get hit again, probably almost instantaneously.

The owner of the computer hasn't had any problems since and it's been at least 3 or 4 days now, I think. Not sure if that will work for you,. I'm just relating what I did, and it was fixed on the first try.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 99 posts
  • Users browsing this forum: No registered users and 66 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
cron
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.