What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

I know I have that sasser worm because it is just as you describe... an error message comes up about lsass.exe and shuts down in 60 seconds. However when i run the sasser remover tool, it says my computer is NOT infected with the sasser virus. What do I do now?

Here's the direct link: http://www.sysinternals.com/ntw2k/freeware/procexp.shtml - it sounds like you've probably got some kind of corruption going on, possibly a virus. I would immediately run a virus scan (making sure to update the virus definitions), a spyware scan (though that seems less likely with these symptoms), and possibley the System File Checker (http://ask-leo.com/archives/000074.html ). Good luck!

Again when i clicked on the direct link for the process explorer my internet just closed down again. it seems to be when i try to reach a site to do with PC safety my browser closes down, and i cannot get to the Norton site to get an online virus check. Any ideas are greatly appreciated.

As I expected. The article above talks about being able to reach some sites and not others, and how the virus can make that happen - and what to do. Look for the section that begins: "Update: Apparently the Sasser worm also modifies a configuration file ..." and follow the instructions there.

Im sorry for all the bother but i cannot find the section that you have reccomended. Do you have a link or something to get me there?

It should be on the same page as the page you're commenting on. http://ask-leo.com/archives/000114.html

I have done what the update has said to do but when i open the host file there is no list of sites. it just has the local host entry, but still i cannot get to any of the sites.

EVERYONE: I just added an update to the article. There are Sasser varients running around that exploit the same vulnerability, may have similar symptoms, but won't be removed by Sasser removal tools. Check the updated article (http://ask-leo.com/archives/000114.html ) for links to Symantec's site where there is more information and removal instructions.

Eoghan: I don't have a good answer for you, I'm afraid. Right now the only thing that comes to mind is to get anti-virus software and updates onto your computer using another computer and a floppy disk or CD-Rom. I know that's not an option for everyone. If I come up with more information I'll post it here.

Thanks for all the help anyway Leo. ill be back later to check for updates.

To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.