Is this Sasser?

  • Thread starter Thread starter Doug G
  • Start date Start date
D

Doug G

The error message that my customer is seeing on his screen is something like
the following:

lsass.exe - Application Error
The instruction at "0x0083f878" referenced memory at "0x00000023". The
memory could not be "read"
Click on OK to terminate program.

If they terminate it, the system reboots and the error message repeats after
a short while. The workaround is just to ignore it and leave the message box
up on the screen. The system actually functions OK under these conditions.

I may have to go out there to check things out and I'm going to take a
Sasser removal tool with me, but does this message look like what Sasser
does?

Doug Gordon
 
The error message that my customer is seeing on his screen is
something like the following:

lsass.exe - Application Error
The instruction at "0x0083f878" referenced memory at "0x00000023". The
memory could not be "read"
Click on OK to terminate program.

If they terminate it, the system reboots and the error message repeats
after a short while. The workaround is just to ignore it and leave the
message box up on the screen. The system actually functions OK under
these conditions.

I may have to go out there to check things out and I'm going to take a
Sasser removal tool with me, but does this message look like what
Sasser does?
Click to expand...

That looks like Sasser to me...
 
That looks like Sasser to me...
Click to expand...
With Google, you find the following under:
http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description: Windows Local Security Authority Server Process handles Windows
security mechanisms. It verifies the validity of user logons to your
computer or server. Technically, the software generates the process that is
responsible for authenticating users for the Winlogon service.
Company: Microsoft Corp.
System Process: Yes
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): No
Common Errors: N/A
 
The good news is that EWF is working on my XPE system, so that my system is
not "infected" by the worm/virus. However, it is crashing due to being
attacked. So there are two situations to resolve:

1) The customer needs to clean up his network, as it is some other in-house
system that is hosting the Sasser worm and is attacking this particular XPE
system (why this one and not others, I do not know). This network is behind
a firewall, so it must be someone's PC within the factory somewhere.

2) The XPE system really does need an update to be applied so that the
attack does not crash lsass.exe.

For now I've told them to disconnect the system from the plant network until
we work out what to do.

Doug Gordon
 
Back
Top