What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

I just experienced it a while ago. I dunno if I'm correct but it has got to do something with the window updates. I've noticed that everytime I connect to the internet, the windows update shows up on the taskbar and automatically downloads and so is the lsass.exe error message. So what I did, I finished DL-ing the latest windows update first then changed the windows update setting to "notify first blah blah blah" and it worked.... for now.

How to kill the Isass????????????????????

DON'T kill it. It's a part of the operating system, and Windows won't run without it. Read the article for what to do.

Huh, hate to be the dumb guy here, But what is LSASS? And why do we need it?

The short version is that LSASS.EXE is simply one of the files that make up part of the Windows operating system itself. LSASS stands for "Local Security Authority Subsystem Service". Windows can't run without it.

I have several protecting programs running, (i.e. Norton's Internet Security, SpySweeper, Spybot S&D, GhostSurf2005, Adaware, Panda, and Pest Patrol) all of which are updated every few days. None of these seem to be able to detect anything relating to the lsass, but I am constantly getting the system shutdown notice from the lsass file. I barely have time to run them before the pc shuts off, and even when I run them in time, they still do not detect any threats. Help??
Any ideas would be greatly appreciated.
Thanks!

My guess is that you're not behind a firewall and or you may be under attack from another machine that is infected. Make sure you're fully patched, and get behind a firewall if you can.

Hi, Leo

My problem is different as above comments.

My Win2K server (SP4) is a DC. When it was set up about 3 years ago, I installed NAV Ver 5.0. After a year, I removed NAV.which made the system un-stable. One year ago, the system started rebooting by itself occasionary. In November '03, I installed NOD32 AV and found Nimda.E virus. Then AV scan everyday.

The reboot have carried on for more than a year and show me this error,

Application exception occurred:
App: lsass.exe (pid=264)
When: 2/8/2004 @ 15:44:10.814
Exception number: c0000005 (access violation)

I don't think it was affected by Sasser because it happended before Sasser was found. It rebooted randomly from once two weeks to 3 times a day. No particular process/log happened before the reboot. Then I found lsass.exe caused it.

I searched the Net but none of them matched my case so far. I guess it could be the result of the removal of Norton AV.

I did install the MS Sasser update and scanned the system with MS and Norton remove tool. No virus found.

Any comment would be appreciated.

Thanks, Yuggie

Given the instability caused by NAV, I'd be really tempted to reinstall Win2k - at least a repair install on top of your existing install. It's too difficult at this point to really diagnose as there are so many unknowns.

what is the meening of"shutdown -a" command?
but how will we close our system after using this command?

To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.