What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

Home » Windows

Summary: LSASS is a Windows component shown in error messages, often due to a virus infection such as Sasser. Learn about LSASS, LSASS.EXE and how to stay safe.

What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am?

The Sasser worm is the most recent and one of the most virulent viruses to impact Windows-based systems. Unlike previous outbreaks, Sasser doesn't even need you to use email or even be at your machine to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE.

Yep, it's a nasty one and an example of sophisticated virus attempts yet to come. Even if you're not infected this is an opportunity to review and implement the steps to keep your computer safe.

•

First, how do you know you have it? Unfortunately, Sasser shares several behaviors common with other recent viruses. The most common sign is that your machine will indicate that there is a problem and will reboot in 60 seconds. The message caused by Sasser should indicate that the problem is in LSASS.EXE.

You should be able to abort the shutdown within those first 60 seconds by doing the following:

• Press the Start button and then the Run menu item.

• Type shutdown -a. That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown".

• Press OK.

This doesn't fix anything; it just lets you get on with the business of disinfecting your computer.

Then, take the following steps:

• Use a firewall. This can be as simple as turning on the Internet Connection Firewall included in Windows XP, to purchasing and installing hardware devices such as a NAT router. Either of these solutions will likely protect you from Sasser and many other types of non-email-based threats.

• Install the patch. This patch for your operating system can be found with Microsoft Security Bulletin MS04-011.

• Remove the virus. There are several Sasser removal tools floating around. Microsoft's What You Should Know About the Sasser Worm and Its Variants has one.

• Update and run your Anti-Virus software. Make sure that both of those steps happen automatically in the future as well. For example, my virus scanner is configured to check for updates and run a scan nightly.

• Stay up-to-date. There are several options but I endorse running Windows Automatic Update for Windows XP. My preference is to have it download and notify me of changes that are ready to install. In addition - or, if you prefer, instead - you should also visit Windows Update on a regular basis for additional updates to your system. I probably visit once a month.

The bottom line is that it's a practical reality that we all need to be vigilant about keeping our computers safe. The steps you take to protect yourself from becoming infected are much less onerous than the potential hassle of recovering from a destructive virus. Sasser doesn't appear to be destructive...

...but the next one certainly could be.

Update: Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable. So if you can get to this site (Ask Leo!), but not your anti-virus vendor then this might be the problem. It's easy to check.

Open the file "\windows\system32\drivers\etc\hosts" in Notepad. (Press the Start button, click onRun, type Notepad \windows\system32\drivers\etc\hosts, and press OK.) Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Symantec, McAfee, and more, then the worm has struck.

I would take the following steps:

• Close Notepad.

• Open Windows Explorer on the directory containing the file "hosts" (A quick way to do this is to press the Start button, click on Run, type\windows\system32\drivers\etc, and press OK.)

• Right Click on the file hosts and select Rename. Give it a new name, like "oldhosts".

• Run the command "nbtstat -R". (Press the Start button, click on Run, type nbtstat -R, and press OK.) You should only see a window flash on the screen briefly, but this little bit of magic should force Windows to re-lookup any of those names it might be keeping in memory.

Now you should be able to get to your anti-virus sites until you reboot - apparently the Sasser worm will recreate these bogus host file entries each time you reboot. So download your updates and scan to clean up the virus right away.

Update: As was predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are starting to show up. Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms. I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis. Two current examples of similar viruses include Kibuv-B and Bobax, both of which have removal instructions up on the Symantec Anti-Virus site.

Related:

• How do I keep my computer safe on the internet? An overview of the relevant steps.

• Svchost - A story of crashes, CPU maximization, viruses, exploits and more. An overview of a similar, but different, vulnerability and family of viruses.

• Viruses: How do I keep myself safe from Viruses? Computer viruses are a fact of modern connected life. Anti-virus software is required, and both it and the database it uses should be kept up-to-date.

• What's a firewall and how do I set one up? Firewalls are an important part of keeping your computer safe when connected to the internet. We'll look at what a firewall is and your choices.

• Microsoft - What You Should Know About the Sasser Worm and Its Variants

• Microsoft - Microsoft Security Bulletin MS04-011 detailing the LSASS and related vulnerabilities.

• Symantec - Anti-Virus site.

• Symantec - Bobax details.

• Symantec - Kibuv-B details.

• Symantec - W32.Sasser.Worm details.

Article C1936 - May 8, 2004