What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

I have yahoo dsl and have located the lsass.exe I am having issues connecting to the internet. I reset my modem and it connects for a short time then disconnects. I have updated my virus scan and ran it. I was wondering if this is virus related?

Mandar: have you followed the instructions in the article?

Trin: Your best bet is to get an Anti-Virus product and current definitions on a CD-Rom - then disconnect your machine from the internet and run the scan. Any of the major scanners should do, but if you're burning a CD-ROM, I'd go ahead and put two on there, and run them both, each in turn. Recommendations here: http://ask-leo.com/d-recommend

David: it's hard to say. It could be any of a number of things. When you say "located the lsass.exe" what do you mean? It's a valid system file on every Windows XP machine, so it's presence does not mean anything.

Hi all,
I have up-to-date Zone-Alarm, and got the signs of the SASSER virus, but it never got to do it's nasty thing.
There was an instance of something like "Lsass (Export Version)" but it asked me if I wanted it to talk to the outside world: Fortunately being a wary kind of guy I said no, and disaster was averted.
Do what Leo says, keep your AV software BANG UP TO DATE! Yes, a software firewall will help and give a certain peace of mind, but it may not be bombproof.
If you run a tight ship, you'll be the least likely to get stung.
JoeM

I have Norton Personal Firewall 2004. I got a message asking me if I wanted to let the program LSASS.EXE access the internet. It RECOMMENDED that I allow it to do so! Haha. But I said NO, and told it to block all attempts, because I was not sure what LSASS.EXE was. I am glad I did! But at least the firewall brought it to my attention. I feel a bit safer now.

Hi,
How i delete "lsass" without anti virus?

My PC is shuting down every 15min it is showing error of your windows going to shutdown within 50seconds ther is some error in lsass.exe please help me in this regards

Kaveh: you do NOT delete LSASS. It is a required system file. You need to identify which virus you have (sasser, or some other), and then remove that. The best approach is to use an anti-virus software package. Recommendations here: http://ask-leo.com/d-recommend

Rafi: you need to read the full article you just added your comment to.

To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.