Summary: LSASS is a Windows component shown in error messages, often due to a virus infection such as Sasser. Learn about LSASS, LSASS.EXE and how to stay safe.
|
What are "LSASS", "LSASS.EXE" and "Sasser" and how do I know if I'm infected? What do I do if I am? |
The Sasser worm is the most recent and one of the most virulent viruses to impact Windows-based systems. Unlike previous outbreaks, Sasser doesn't even need you to use email or even be at your machine to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE.
Yep, it's a nasty one and an example of sophisticated virus attempts yet to come. Even if you're not infected this is an opportunity to review and implement the steps to keep your computer safe.
•
First, how do you know you have it? Unfortunately, Sasser shares several behaviors common with other recent viruses. The most common sign is that your machine will indicate that there is a problem and will reboot in 60 seconds. The message caused by Sasser should indicate that the problem is in LSASS.EXE.
You should be able to abort the shutdown within those first 60 seconds by doing the following:
-
Press the Start button and then the Run menu item.
-
Type shutdown -a. That's the "shutdown" command, with the "-a" option, which stands for "abort the pending shutdown".
-
Press OK.
This doesn't fix anything; it just lets you get on with the business of disinfecting your computer.
Then, take the following steps:
-
Use a firewall. This can be as simple as turning on the Internet Connection Firewall included in Windows XP, to purchasing and installing hardware devices such as a NAT router. Either of these solutions will likely protect you from Sasser and many other types of non-email-based threats.
-
Install the patch. This patch for your operating system can be found with Microsoft Security Bulletin MS04-011.
-
Remove the virus. There are several Sasser removal tools floating around. Microsoft's What You Should Know About the Sasser Worm and Its Variants has one.
-
Update and run your Anti-Virus software. Make sure that both of those steps happen automatically in the future as well. For example, my virus scanner is configured to check for updates and run a scan nightly.
-
Stay up-to-date. There are several options but I endorse running Windows Automatic Update for Windows XP. My preference is to have it download and notify me of changes that are ready to install. In addition - or, if you prefer, instead - you should also visit Windows Update on a regular basis for additional updates to your system. I probably visit once a month.
The bottom line is that it's a practical reality that we all need to be vigilant about keeping our computers safe. The steps you take to protect yourself from becoming infected are much less onerous than the potential hassle of recovering from a destructive virus. Sasser doesn't appear to be destructive...
...but the next one certainly could be.
Update: Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable. So if you can get to this site (Ask Leo!), but not your anti-virus vendor then this might be the problem. It's easy to check.
Open the file "\windows\system32\drivers\etc\hosts" in Notepad. (Press the Start button, click onRun, type Notepad \windows\system32\drivers\etc\hosts, and press OK.) Normally, it will have one entry for something called "localhost". If in addition you see a list of Anti-Virus sites such as Symantec, McAfee, and more, then the worm has struck.
I would take the following steps:
Close Notepad.
Open Windows Explorer on the directory containing the file "hosts" (A quick way to do this is to press the Start button, click on Run, type\windows\system32\drivers\etc, and press OK.)
Right Click on the file hosts and select Rename. Give it a new name, like "oldhosts".
Run the command "nbtstat -R". (Press the Start button, click on Run, type nbtstat -R, and press OK.) You should only see a window flash on the screen briefly, but this little bit of magic should force Windows to re-lookup any of those names it might be keeping in memory.
Now you should be able to get to your anti-virus sites until you reboot - apparently the Sasser worm will recreate these bogus host file entries each time you reboot. So download your updates and scan to clean up the virus right away.
Update: As was predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are starting to show up. Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms. I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis. Two current examples of similar viruses include Kibuv-B and Bobax, both of which have removal instructions up on the Symantec Anti-Virus site.
Related:
-
How do I keep my computer safe on the internet? An overview of the relevant steps.
-
Svchost - A story of crashes, CPU maximization, viruses, exploits and more. An overview of a similar, but different, vulnerability and family of viruses.
Viruses: How do I keep myself safe from Viruses? Computer viruses are a fact of modern connected life. Anti-virus software is required, and both it and the database it uses should be kept up-to-date.
What's a firewall and how do I set one up? Firewalls are an important part of keeping your computer safe when connected to the internet. We'll look at what a firewall is and your choices.
-
Microsoft - What You Should Know About the Sasser Worm and Its Variants
-
Microsoft - Microsoft Security Bulletin MS04-011 detailing the LSASS and related vulnerabilities.
Symantec - Anti-Virus site.
Symantec - Bobax details.
Symantec - Kibuv-B details.
Symantec - W32.Sasser.Worm details.
Article C1936 - May 8, 2004
ralph those sites u see in notepad mean you are infected, from what ive read online already, im stuc with similar prob, just dont have that variant !
Posted by: stuctoo at July 29, 2007 12:14 PMi had the same virus but my anti virus software disinfected it...all of it. ive done all the checks and nothing seems to be left of the sasser worm. i use panda titanium antivirus software. hope this helps, otherwise the instructions given are accurate in disinfcting your computer.
Posted by: rpk at August 24, 2007 10:44 AMIf your computer keeps booting after your get the lsass.exe error, your security registry hive could be corrupt.
****Do This To Fix It****
You can use your XP disk to boot into recovery mode (recovery mode is just a DOS prompt, there's no reinstallation), or if you don't have an XP CD (and you can't borrow one)
Next
rename "c:\windows\sytem32\config\security" to security.bak
then copy c:\windows\repair\security to the location above.
Posted by: Jaymes at August 29, 2007 7:04 PMThis should get you back into your Windows Installation, update your antivirus progam and start a virus scan to make sure the virus has been cleaned. you might have to re-activate your copy of Windows. I did
i had the same problem couple of weeks ago about the message that appears after windows starts. Here's what i did (by the way im using winxpsp2 on a pc). I simply copied lsass.exe from system32 folder, paste it to windows folder and the error message disappear. I dont know what lsass.exe does but until now i havent encounter any side effects whatsoever, so iguess it works. hope this help.
Posted by: christian at September 16, 2007 7:07 PMEveryony should be aware that Lsass is a virus, lsass is Windows system file that has something to do with logging on. Don't delete it.
Posted by: Wayne at February 25, 2008 5:09 AMhow can I do this if my windows would not load anymore.. after boot up, the screen just displays an error message about lsass.exe is restricted then my pc restarts.. this happens again and again.
Posted by: mike at May 9, 2008 8:40 PM-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
If Windows won't load, you'll need to perform an repair
install of Windows. More here:
http://ask-leo.com/how_should_i_reinstall_windows.html
Thanks,
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFIJitpCMEe9B/8oqERAiBKAJ9e1QRt343sM/UIxz/vMEzL8FsG1wCfcroa
Posted by: Leo at May 10, 2008 4:10 PMyesC7FA3vKnhUH1/l2lgh0c=
=gWYW
-----END PGP SIGNATURE-----
Thanks for the above article:
Posted by: Rod at May 12, 2008 1:25 PMWhen starting up my laptop I get the Windows loading screen and then I am getting a message prior to Windows login screen. The message box sits on a blue back ground and the header reads "lsass.exe - Application Error", and the txt in the message box reads "The Application Failed to Initialize Properly (0Xc0000006) Click on OK to Terminate the Application". When I click "OK" my laptop sits there with a blue screen and nothing happens, but I can see and move the cursor. I know this isn't a great deal differnt to the other issues posted but it seems like Windows is loading and I am hoping not to have to re-install Windows. Thanks.
RE. cursors.lsass.exe.
Posted by: Gary at August 28, 2008 12:15 PMI uninstalled NERO and the problem has gone away. Must've been something in the program...
If you still get the C:\WINDOWS\Cursors\lsass.exe is not found after removing the infection it is because the file has been placed in the registry. If you run regedit (and back it up before changing anything!) Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Within this key you will see "Shell"="Explorer.exe C:\\WINDOWS\\Cursors\\lsass.exe" Delete the C:\\WINDOWS\\Cursors\\lsass.exe portion and exit the registry. hat will stop the popup error on startup.
Posted by: activenets dot com at October 25, 2008 4:51 PM