Isass.exe=sasser?

[Guest]

Ok, will an MVP, MSFT or someone please answer this

An earlier post I read mentioned that if you click CTRL, ALT & DELETE, check your processes, if there were two specific .exe files, then your computer is infected with the "Sasser" worm

Here are some examples: Someone asked if these files should be running in the background, and one answer, anyone verify this? Also when I search for these .exe files, nothing comes up..

<<<<Both are system files and should be running
lsass.ex
Description: Windows Local Security Authority Server Process handles Windows
security mechanisms. It verifies the validity of user logons to your
computer or server. Technically, the software generates the process that is
responsible for authenticating users for the Winlogon service
------------------------------------------------------
csrss.exe
Description: Windows client server run-time subsystem handles Windows and
graphics functions for all subsystems.>>>>>

Can someone stop the confusion

Jan

 

[D-Man]

lsass.exe And csrss.exe ARE system files and should run!
lsass.exe is NOT a virus
csrss.exe is NOT a virus

No problem there!

\D-Man

Ok, will an MVP, MSFT or someone please answer this?

An earlier post I read mentioned that if you click CTRL, ALT & DELETE,

check your processes, if there were two specific .exe files, then your
computer is infected with the "Sasser" worm.

Here are some examples: Someone asked if these files should be running in

the background, and one answer, anyone verify this? Also when I search for
these .exe files, nothing comes up...

 

[Carey Frisch [MVP]]

Both "lsass.exe" and "csrss.exe" are normal running processes.
If a computer is infected with the "Sasser Worm", you would
likely see the following Sasser files:

Any process beginning with 4 or more numbers and "_up.exe" (for example, 12345_up.exe)
Any process starting with avserve (for example, avserve.exe, avserve2.exe)
Any process named skynetave.exe

Ref: http://www.microsoft.com/technet/Security/alerts/sasser.mspx

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/

----------------------------------------------------------------------------------------

"JanV" (e-mail address removed) wrote in message:

| Ok, will an MVP, MSFT or someone please answer this?
|
| An earlier post I read mentioned that if you click CTRL, ALT & DELETE, check your processes, if there were
two specific .exe files, then your computer is infected with the "Sasser" worm.
|
| Here are some examples: Someone asked if these files should be running in the background, and one answer,
anyone verify this? Also when I search for these .exe files, nothing comes up...
|
| <<<<Both are system files and should be running.
| lsass.exe
| Description: Windows Local Security Authority Server Process handles Windows
| security mechanisms. It verifies the validity of user logons to your
| computer or server. Technically, the software generates the process that is
| responsible for authenticating users for the Winlogon service.
| -------------------------------------------------------
| csrss.exe,
| Description: Windows client server run-time subsystem handles Windows and
| graphics functions for all subsystems.>>>>>>
|
| Can someone stop the confusion?
|
| JanV

 

[bud]

Ok, will an MVP, MSFT or someone please answer this?

An earlier post I read mentioned that if you click CTRL, ALT & DELETE,
check your processes, if there were two specific .exe files, then your
computer is infected with the "Sasser" worm.

Here are some examples: Someone asked if these files should be running in
the background, and one answer, anyone verify this? Also when I search
for these .exe files, nothing comes up...

I think the confusion on this is because the sasser worm finds it's way into
your computer through the lsass.exe system on your computer if it is not
patched. According to AV companies, this worm will generate traffic on ports
445, 5554 and 9996. Also, it will copy itself in the windows folder, under
the name of avserve.exe, create a file at c:\ called win.log and add the
registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\avserve = avserve.exe
Another sign of infection is frequent crashes of 'LSASS.EXE'.