What are “LSASS”, “LSASS.EXE” and “Sasser” and how do I know if I’m infected? What do I do if I am?

September 5, 2007

What are “LSASS”, “LSASS.EXE” and “Sasser” and how do I know if I’m infected? What do I do if I am?

The Sasser worm is the most recent and one of the most virulent viruses to impact Windows-based systems. Unlike previous outbreaks, Sasser doesn’t even need you to use email or even be at your machine to infect your computer and continue spreading. It exploits a recently patched vulnerability in something called LSASS.EXE.

Yep, it’s a nasty one and an example of sophisticated virus attempts yet to come. Even if you’re not infected this is an opportunity to review and implement the steps to keep your computer safe.

First, how do you know you have it? Unfortunately, Sasser shares several behaviors common with other recent viruses. The most common sign is that your machine will indicate that there is a problem and will reboot in 60 seconds. The message caused by Sasser should indicate that the problem is in LSASS.EXE.

You should be able to abort the shutdown within those first 60 seconds by doing the following:

  • Press the Start button and then the Run menu item.
  • Type shutdown -a. That’s the “shutdown” command, with the “-a” option, which stands for “abort the pending shutdown”.
  • Press OK.

“The bottom line is that it’s a practical reality that we all need to be vigilant about keeping our computers safe.”

This doesn’t fix anything; it just lets you get on with the business of disinfecting your computer.

Then, take the following steps:

  • Use a firewall. This can be as simple as turning on the Internet Connection Firewall included in Windows XP, to purchasing and installing hardware devices such as a NAT router. Either of these solutions will likely protect you from Sasser and many other types of non-email-based threats.
  • Install the patch. This patch for your operating system can be found with Microsoft Security Bulletin MS04-011.
  • Remove the virus. There are several Sasser removal tools floating around. Microsoft’s What You Should Know About the Sasser Worm and Its Variants has one.
  • Update and run your Anti-Virus software. Make sure that both of those steps happen automatically in the future as well. For example, my virus scanner is configured to check for updates and run a scan nightly.
  • Stay up-to-date. There are several options but I endorse running Windows Automatic Update for Windows XP. My preference is to have it download and notify me of changes that are ready to install. In addition – or, if you prefer, instead – you should also visit Windows Update on a regular basis for additional updates to your system. I probably visit once a month.

The bottom line is that it’s a practical reality that we all need to be vigilant about keeping our computers safe. The steps you take to protect yourself from becoming infected are much less onerous than the potential hassle of recovering from a destructive virus. Sasser doesn’t appear to be destructive…

…but the next one certainly could be.

Update: Apparently the Sasser worm also modifies a configuration file that renders many Anti-Virus sites and the MicrosoftUpdate site unreachable. So if you can get to this site (Ask Leo!), but not your anti-virus vendor then this might be the problem. It’s easy to check.

Open the file “\windows\system32\drivers\etc\hosts” in Notepad. (Press the Start button, click onRun, type Notepad \windows\system32\drivers\etc\hosts, and press OK.) Normally, it will have one entry for something called “localhost”. If in addition you see a list of Anti-Virus sites such as Symantec, McAfee, and more, then the worm has struck.

<!– if (!document.phpAds_used) document.phpAds_used = ‘,’; phpAds_random = new String (Math.random()); phpAds_random = phpAds_random.substring(2,11); document.write (“”); //–> var al_article_category; google_ad_client = “pub-6711026890334492”; google_ad_width = 336; google_ad_height = 280; google_ad_format = “336x280_as”; google_color_border = “FFFFFF”; google_color_bg = “FFFFFF”; google_color_link = “00309c”; google_color_url = “1369e9”; google_color_text = “000000”; google_ad_channel = “6448756426”;

I would take the following steps:

  • Close Notepad.
  • Open Windows Explorer on the directory containing the file “hosts” (A quick way to do this is to press the Start button, click on Run, type\windows\system32\drivers\etc, and press OK.)
  • Right Click on the file hosts and select Rename. Give it a new name, like “oldhosts”.
  • Run the command “nbtstat -R”. (Press the Start button, click on Run, type nbtstat -R, and press OK.) You should only see a window flash on the screen briefly, but this little bit of magic should force Windows to re-lookup any of those names it might be keeping in memory.

Now you should be able to get to your anti-virus sites until you reboot – apparently the Sasser worm will recreate these bogus host file entries each time you reboot. So download your updatesand scan to clean up the virus right away.

Update: As was predicted, follow-on viruses that exploit the same vulnerabilities that Sasser exploits are starting to show up. Sasser removal tools may not work because they are different viruses, even though they share some of the same symptoms. I cannot stress enough the importance of using a firewall, keeping your virus definitions up to date and running virus scans on a regular basis. Two current examples of similar viruses include Kibuv-B and Bobax, both of which have removal instructions up on the Symantec Anti-Virus site.


One Response to “What are “LSASS”, “LSASS.EXE” and “Sasser” and how do I know if I’m infected? What do I do if I am?”

  1. Nice blog, I was wondering if you could put a link to my website in your blog/webpage, thanks.

    Site name: HotBrick Network Solutions
    Site Url: http://www.HotBrick.com
    Description: Specializing in internet security, Content filtering, VPN, Firewall, virtual private network, firewall security, network security, virtual private networks, and firewalls hardware

    Again thanks and have a great day.
    Mike McClodden

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: