SASSER VIRUS INFO - lsass.exe terminates with an error code

May 1st, 2004, 3:23 pm

Every twenty minutes or so, I get a message stating that lsass.exe has terminated with -(bunch of numbers) and the system will shut down in 60 seconds. I run Windows XP Home. What's happening, and how can I stop it?

May 1st, 2004, 3:45 pm

You have a virus, and the newest one...its a Worm Sasser...
It hits the Lsass.exe 's vulnerabilty...

If you have an AV then update it and scan your pc...if not try a webscan from some of the biigest companies like Norton Mcafee or Trenmicro...

Oh and update windows...grab the latest patches...

May 1st, 2004, 3:48 pm

In case its the virus wich i'm 90% sure
this is what you should do

Open Windows Task Manager.
On Windows 95/98/ME systems, press
CTRL+ALT+DELETE
On Windows NT/2000/XP systems, press
CTRL+SHIFT+ESC, then click the Processes tab.
In the list of running programs*, locate the malware file(s) detected earlier.
Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
Do the same for all detected malware files in the list of running processes.
To check if the malware process has been terminated, close Task Manager, and then open it again.
Close Task Manager.
Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing during startup.

Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
avserve.exe = %Windows%\avserve.exe
Close Registry Editor.
(taken from Trendmicro website)

May 1st, 2004, 3:59 pm

Here are some of the processes running. I've done searches - but no info. I ran ad-aware and got rid of alot of bad stuff but some is still there


1. avserve.exe
2. avserve2.exe
3. hognubn.exe
4. rundll32 cwcprops

May 1st, 2004, 4:16 pm

These are the Sasser worm ...
you have to remove them manually...
I posted an explanation in the the 'Lsass' Topic

May 1st, 2004, 5:15 pm

good info - thanks Ragnar78

May 1st, 2004, 5:15 pm

just in case you miss it: http://www.ozzu.com/ftopic24247.html

[ATNO/TW]

May 1st, 2004, 5:24 pm

*sighs Two posts on the Sasser worm in one day. Now I need to go look this up and find out what it is does and how it replicates so I don't have to go around fixing a bunch of computers next week.

Like UNFLUX said Ragnar78. good info (see I even spelled your name right this time *wink)

May 1st, 2004, 11:52 pm

Thank ATNO/TW and UNFLUX

Actually the worm is like Witty, i dosent spread through mail, it just need to see that you're online...

I'm wondering what MS process dosent have vulnarability?

May 2nd, 2004, 6:01 am

The same is happening to me, it's Worm Sasser. I keep deleting it with Norton but it keeps coming back...

Everytime I come on it says "LSA Shell (export version) error". After about 20 - 40 minutes it will then start the NT AUTHORITY/SYSTEM crap and give me 60 seconds.

May 2nd, 2004, 7:42 am

WARNING
I downloaded and ran Avert's Stinger. It detected and removed the Sasser Worm. BTW, I disabled system restore as instructed.
I'm back online and AVSERVE2 is RUNNING AGAIN!!!!!!!!!
Seems like everytime I go online the worm returns.
HELP!!!!!!!!!!!

[ATNO/TW]

May 2nd, 2004, 7:55 am

Symantec has a removal tool for W32.Sasser.Worm and W32.SasserB.Worm and can be found here along with instructions:

http://securityresponse.symantec.com/av ... .tool.html

More information about SasserB can be found here:
http://securityresponse.symantec.com/av ... .worm.html

And about Sasser here:
http://securityresponse.symantec.com/av ... .worm.html

You do not have to have Norton or Symantec AV protection to use the tool.

May 2nd, 2004, 9:07 am

Dont forgzt to update windows...
Its a patch that is needed and not only a ramoval tool..

Actuall Sasser dosen't need to be sent by email of executed to be activated on a PC...
You just have to be connected for it to work...

May 2nd, 2004, 9:57 am

I merged the 2 sasser threads together, since it's all the same info/topic

[ATNO/TW]

May 2nd, 2004, 10:15 am

Thanks UNFLUX -- I should have thought of that. I think I'm going to remote into work and check things out and do some Critical updates on the computers that are lacking.