What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Read the article that everyone's commenting on.
Subscribe to the RSS Feed for comments on this article.

Thank you for all the links to anti virus's and all that, it will be helpful. I attempted to check the hosts file, i found it, but i cannon open it. A messege says it cant open it, because it doesnt know what created it, so it says it can go online and check, and i get a page cannot be found, it tries to go to HTTP 400- Bad Request- Microsoft Internet Explorer... I was very convinced it was this sasser thing that ive got, but ive probably got a whole collection ... Ill start with trying the download for the sasser worm. If problems continue ill move on from there... Well... thanks again- Beau

Instead of double clicking on the hosts file, run notepad, and then use File, Open to open the file directly. That should let you see what's inside.

Sometimes when I connect to the Internet (dialup), my McAfee firewall alerts me that the program LSASS.EXE has changed since the last time it accessed the Internet. I do not seem to have any of the symptoms of Sasser, and the file "C:\windows\system32\drivers\etc\hosts" does not exist. Should I allow LSASS.EXE to connect to the Internet whenever it asks? I am running Win2K.

Also, a separate question. May I place a link to your website on mine?

I'm suspicious about your LSASS issue. You may be infected with somthing - perhaps not sasser, but similar. I'd make very sure that you're running an up to date virus scanner regularly. I would not let lsass connect out - I'm not aware of any reason that it should.

And yes, thanks for any link!

Leo,
When I type in the "\windows\system32\drivers\etc\HOSTS" my computer only goes to the the etc part and does not have a "HOSTS" ? ?

What does this mean? Has the hole already been patched by my automatic updates? If the file HOSTS is missing is it a problem ? I don't think I have sasser because I have never had the rebooting problem but was just going to fix it so I don't get it. Then try and figure out how to turn on the firewall in my XP. I have a Dell Demension 2400 series.

Is it a bad thing that the HOSTS doesn't exist?
Hope I have given you enuf info ? ?

Thanks
Gary Wade

While a lack of "hosts" is unusual, it shouldn't in itself cause a problem. Basicly I'd simply double check, probably in a command prompt, by going to that directory and looking. Since I don't know *where* you're typing the filename, I don't know that it's really telling you that the file doesn't exist.

I have had the worst time with viruses lately. I have removed the sasser worm 3X and had a Sdbot worm and have the bobax worm. I used trend micro Housecall to delete these files . My norton anti virus protection is somehow disabled and I cannot acess it for very long and it closes shortly after opening it .it is no longer on my desktop tool bar ( bottom right hand corner near the time) and it indicates in the norton for the few seconds I can open it that my email scan is in error. It will only stay open for a few seconds. I have removed and reinstalled this program twice and have two firewalls in place now. I am using the housecall trail protection for now but i want my Norton back.
Any suggestions. And I want to check my registry so I don't reinfect the PC each time any help?

Hello. I dont know what is wrong with my computer. I cannot do basically anything on it anymore, so i am using a different one for now. Every time i log on, it waits a few seconds, then does the 60 second shut down thing. I downloaded the fxsasser.exe tool from the symantec site, but it said i didnt have sasser. I also cannot scan my computer with symantec, because whenever i press "scan", the application blows up. I went into the hosts file mentioned above, and there was only the one normal entry. I would apprecciate any help. Thanks

It certainly sounds like you're infected with one of the related viruses. I'd perform as many of the steps as you can from this article, and also run a system file checker (http://ask-leo.com/archives/000074.html ). You may need to disconnect from the network, and possibly boot into safe mode or from a floppy of CD in order to run a virus check on your system.

how to remove sassor virus\worm in cpmputer please tell me

To post a comment on "What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?", please return to that article's main page.