SASSER VIRUS INFO - lsass.exe terminates with an error code

  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

Every twenty minutes or so, I get a message stating that lsass.exe has terminated with -(bunch of numbers) and the system will shut down in 60 seconds. I run Windows XP Home. What's happening, and how can I stop it?
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

You have a virus, and the newest one...its a Worm Sasser...
It hits the Lsass.exe 's vulnerabilty...

If you have an AV then update it and scan your pc...if not try a webscan from some of the biigest companies like Norton Mcafee or Trenmicro...

Oh and update windows...grab the latest patches...
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

In case its the virus wich i'm 90% sure
this is what you should do

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file(s) detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
avserve.exe = %Windows%\avserve.exe
Close Registry Editor.
(taken from Trendmicro website)
  • dimchandeliers
  • Newbie
  • Newbie
  • dimchandeliers
  • Posts: 13

Post 3+ Months Ago

Here are some of the processes running. I've done searches - but no info. I ran ad-aware and got rid of alot of bad stuff but some is still there


1. avserve.exe
2. avserve2.exe
3. hognubn.exe
4. rundll32 cwcprops
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

These are the Sasser worm ...
you have to remove them manually...
I posted an explanation in the the 'Lsass' Topic
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux

Post 3+ Months Ago

good info - thanks Ragnar78 :D
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

*sighs Two posts on the Sasser worm in one day. Now I need to go look this up and find out what it is does and how it replicates so I don't have to go around fixing a bunch of computers next week.

Like UNFLUX said Ragnar78. good info (see I even spelled your name right this time *wink)
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Thank ATNO/TW and UNFLUX :D

Actually the worm is like Witty, i dosent spread through mail, it just need to see that you're online...

I'm wondering what MS process dosent have vulnarability? :shock:
  • Scar
  • Born
  • Born
  • Scar
  • Posts: 1

Post 3+ Months Ago

The same is happening to me, it's Worm Sasser. I keep deleting it with Norton but it keeps coming back...

Everytime I come on it says "LSA Shell (export version) error". After about 20 - 40 minutes it will then start the NT AUTHORITY/SYSTEM crap and give me 60 seconds.
  • dimchandeliers
  • Newbie
  • Newbie
  • dimchandeliers
  • Posts: 13

Post 3+ Months Ago

WARNING
I downloaded and ran Avert's Stinger. It detected and removed the Sasser Worm. BTW, I disabled system restore as instructed.
I'm back online and AVSERVE2 is RUNNING AGAIN!!!!!!!!!
Seems like everytime I go online the worm returns.
HELP!!!!!!!!!!!
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Symantec has a removal tool for W32.Sasser.Worm and W32.SasserB.Worm and can be found here along with instructions:

http://securityresponse.symantec.com/av ... .tool.html

More information about SasserB can be found here:
http://securityresponse.symantec.com/av ... .worm.html

And about Sasser here:
http://securityresponse.symantec.com/av ... .worm.html

You do not have to have Norton or Symantec AV protection to use the tool.
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Dont forgzt to update windows...
Its a patch that is needed and not only a ramoval tool..

Actuall Sasser dosen't need to be sent by email of executed to be activated on a PC...
You just have to be connected for it to work...
  • UNFLUX
  • Genius
  • Genius
  • User avatar
  • Posts: 6376
  • Loc: twitter.com/unflux

Post 3+ Months Ago

I merged the 2 sasser threads together, since it's all the same info/topic
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Thanks UNFLUX -- I should have thought of that. I think I'm going to remote into work and check things out and do some Critical updates on the computers that are lacking.
  • The^Watcher
  • Student
  • Student
  • The^Watcher
  • Posts: 72
  • Loc: Sabah, Malaysia

Post 3+ Months Ago

regarding this worm w32/Sasser.A...
if i get infected with it.. beside using a proctection... can i get rid of it by reformating and reinstalling the system?
  • SeanLeclaire626
  • Born
  • Born
  • SeanLeclaire626
  • Posts: 1

Post 3+ Months Ago

i searched the net for lsass.exe error, and came to this forum, and saw this post of my exact problem, i followed everythign that was said to do, but it would seem it didnt do much for my computer, it still comes up with the error after about 20-40 mins and restarts, just to do it again after another amount of time. ive deleted the autostart file from the registry. and closed it from the task manager, ive ran the symantec removal tool. and it said i didnt have the virus. im downloading a AV. even though ive scaned my computer and thats how i got rid of what i first came apon wich was a file MSBLAST.exe. can somebody please help me out, i even did a system restore, so i have no programs on my computer. wich meens it hasnt the updates for windows. and i cant get them cause it takes longer than 20 mins to get them so i have a small problem there. thx for your time
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Hy,

Well actually MSBlaster does the same thing (in very simplified way) than Sasser, they both shutdown your PC.

Now honnestly, i suggest you try and grab all the windows patches through Updates...
Sasser can only be rmoved by the Norton Removal tool, but it can reinstall itself easaly due to a Flaw in the Lsass.exe that needs to be patched...so no matter how long you remove it, you will still grab sasser.

The same goes for MSBlaster...you can remove the processes but you wil get it back again due to a Flaw in the Dcom RPC that windows uses...
So if you are attacked with MSBlaster or Sasser, no matter how tough the AV you have, you will stil be infected...
Now the only solution i find, since you cannot update correctly, is to set your Firewall to the Highest possible security level...
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

heeheee -- I knew when I read these posts over the weekend, I'd having to be fixing this on somebody's machine, sure enough, I'm sitting here with one of our executive's 80 year old mother's computer with sasser, welchia and blaster on it! *lol I'll let you know how it goes.
  • dimchandeliers
  • Newbie
  • Newbie
  • dimchandeliers
  • Posts: 13

Post 3+ Months Ago

The Sasser is gone!
Thanks guys.
Big outbreak though. It's all over the news.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

There are a couple key things in avoiding a reocurrance.
1) Make sure you have the patch installed. The patch was released April 13 in critical updates and you should install it if you haven't done so already. (You may need to run the worm removal tool first before downloading the patch if you hadn't done so prior)

http://www.microsoft.com/security/secur ... indows.asp

2) The patch should take care of things, but if you are on XP enable the Firewall, or get a firewall program like ZoneAlarm, or use Symantec's or McAfee's Firewall if available.

3) If you are on XP, make sure you disable the "restore" as described in the symantec security response article before running the removal tool.

http://securityresponse.symantec.com/av ... .tool.html

4) In the last 30 days, there have been over 100 viruses/trojans/worms identified. Here are some "best practices that Symantec recomends:

Quote:
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.


//added note from what I've been reading today -- if you have a hardware firewall or your company uses a hardware firewall you should be at low risk on Sasser. BTW it apears two more variants appeared over the weekend.

http://www.symantec.com/avcenter/venc/d ... .worm.html
http://www.symantec.com/avcenter/venc/d ... ser.d.html
  • tyalangan
  • Born
  • Born
  • tyalangan
  • Posts: 1
  • Loc: Chicago

Post 3+ Months Ago

HI Guys. I need some help. I definitely have this sasser thing going on but the fix-it tool from microsoft doesn't work. I am not a computer genius in the least - i stumbled across this site trying to find a solution to this problem. If anyone has any tips for me it would be great.

Thanks!
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

tyalangan wrote:
HI Guys. I need some help. I definitely have this sasser thing going on but the fix-it tool from microsoft doesn't work. I am not a computer genius in the least - i stumbled across this site trying to find a solution to this problem. If anyone has any tips for me it would be great.

Thanks!


What OS? XP or Win2K? Read everything I just posted above you. I gave every detail I found today. The Firewall is particularly important (especially if you are on broadband), because if your ports remain open, the attacking computer may find you again easily and reinstall it.

P.S. Try the removal tool from symantec. It worked for the one computer I had that was infected:

http://securityresponse.symantec.com/av ... .tool.html
  • DuckIT
  • Graduate
  • Graduate
  • User avatar
  • Posts: 155
  • Loc: London, UK

Post 3+ Months Ago

Zonealarm is a good free firewall (for personal use) and as long as your not trying to do anything complicated over the net the default install should be fine. Otherwise it may need some fiddling if you do VPN's or gaming etc to get it working properly.

A big agree on the Symantec removal tools. Use them all the time. They take forever to run, but work very well.

By the way, this site is number 4 on the list if you do a search in Google for 'Removing Sasser' so you may get a *few* hits to this thread :lol:
  • aggie
  • Born
  • Born
  • aggie
  • Posts: 1

Post 3+ Months Ago

Hello, I have tried deleting the lsass.exe in the running processes window. I am denied access even though I am in administrator. I have also tried running the removal tool I downloaded from Norton. It comes back saying that there is no sasser on the computer. What am I missing? We have 2 computers with lsass.exe in the running processes both windows 2000
Thanks
Rick
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

lsass.exe should be running on both computers aggie. That's not the worm. That's the Windows service that the worm tries to exploit. You should be OK.
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

Aggie: lsass.exe is one of them spooky critical system processes. As ATNO/TW said, the worm infects a vulnerability in it. Welcome to Microsoft :x

To everyone else: thank you for replying. I came back here a few days after I started the thread, because I found it on my laptop (gar!) and it came back after I tried to remove it. Good thing I discovered all the info here.

I'm going to run the Symantec tool, download Windows patches and crank up the firewall. I'll let you know if anything else happens.

In the meantime, I've just had the Task Manager open so I can kill inetman.exe and cool.exe when they come up on the list of processes. Works so far.

*le sigh*
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

................Maggie's bewildered!

I ran the Symantec tool, and...behold! I HAVE NO WORM. But five minutes before, NT AUTHORITY killed my computer after 60 seconds.

What the hell happened?
  • Ragnar78
  • Proficient
  • Proficient
  • Ragnar78
  • Posts: 279

Post 3+ Months Ago

Dont question your luck :D
As long as you applied the patch and didn't find the worm...its good :wink:
  • conorific
  • Proficient
  • Proficient
  • User avatar
  • Posts: 350
  • Loc: NY

Post 3+ Months Ago

But that's just it! I didn't do aaaaaaaaanything. Curs├Ęd computers. Whatever.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 99 posts
  • Users browsing this forum: No registered users and 94 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.