Sasser Symtoms Without the Virus

  • Thread starter Major Malfunction
  • Start date
M

Major Malfunction

I'm working on a computer and I've got a real interesting problem:

The computer is exhibiting Sasser type symptoms: an error message pops up
indicating a problem with the LSASS and later a shutdown is initiated. While
working the Safe Mode, the system was scanned for presence of Sasser and
none was found. A manual check of the Registry and the usual infection
location in the Windows directory shows no sign of infection either.

In normal mode, the LSASS error message pops up almost as soon as the
desktop is stable, but any shutdown is delayed until after a connection to
the Internet is made. I've tried renaming file SHUTDOWN.EXE, but shutdown
still occurs and the SHUTDOWN.EXE file reappears.

I did remove *many* parasite programs, but the system is now clean,
according to both SpyBot and X-Cleaner. Norton antivirus, with defs from
6/1/2004, shows the system clean of any known virus.

Any clues what's happening here?
 
S

Shenan Stanley

Major said:
I'm working on a computer and I've got a real interesting problem:

The computer is exhibiting Sasser type symptoms: an error message
pops up indicating a problem with the LSASS and later a shutdown is
initiated. While working the Safe Mode, the system was scanned for
presence of Sasser and none was found. A manual check of the Registry
and the usual infection location in the Windows directory shows no
sign of infection either.

In normal mode, the LSASS error message pops up almost as soon as the
desktop is stable, but any shutdown is delayed until after a
connection to the Internet is made. I've tried renaming file
SHUTDOWN.EXE, but shutdown still occurs and the SHUTDOWN.EXE file
reappears.

I did remove *many* parasite programs, but the system is now clean,
according to both SpyBot and X-Cleaner. Norton antivirus, with defs
from 6/1/2004, shows the system clean of any known virus.

Any clues what's happening here?
Click to expand...


Reinstall SP1.
 
S

Shenan Stanley

Major said:
I'm working on a computer and I've got a real interesting problem:

The computer is exhibiting Sasser type symptoms: an error message
pops up indicating a problem with the LSASS and later a shutdown is
initiated. While working the Safe Mode, the system was scanned for
presence of Sasser and none was found. A manual check of the
Registry and the usual infection location in the Windows directory
shows no sign of infection either.

In normal mode, the LSASS error message pops up almost as soon as
the desktop is stable, but any shutdown is delayed until after a
connection to the Internet is made. I've tried renaming file
SHUTDOWN.EXE, but shutdown still occurs and the SHUTDOWN.EXE file
reappears.

I did remove *many* parasite programs, but the system is now clean,
according to both SpyBot and X-Cleaner. Norton antivirus, with defs
from 6/1/2004, shows the system clean of any known virus.

Any clues what's happening here?
Click to expand...

Shenan said:
Reinstall SP1.
Click to expand...

Major said:
OK, we'll try that next visit. Any idea if SP2 is available yet and
should that be loaded instead?
Click to expand...


A release candidate is available.
The full version is not.
Don't wait.

Turn on Firewall.
Install SP1a (Network installation version).
Install Rollup.
Install Sasser patch.
Go to http://windowsupdate.microsoft.com/ and get the rest of the critical
updates.

Windows XP SP1a:
http://www.microsoft.com/windowsxp/pro/downloads/servicepacks/sp1/sp1lang.asp

Update Rollup 1 for Microsoft Windows XP:
http://www.microsoft.com/downloads/...00-d7be-48e3-abcc-961602bd72c2&displaylang=en
or.. Short Link: http://tinyurl.com/r4lh

Security Update for Microsoft Windows - Sasser
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en
or.. Short Link: http://tinyurl.com/2vj4h
 
Y

Yves Leclerc

I have been to the MS SP2 OEM Builder conference. SP2 is to be release
somtime in July to August, for now.
 
D

Don Phillipson

I'm working on a computer and I've got a real interesting problem:

The computer is exhibiting Sasser type symptoms: an error message pops up
indicating a problem with the LSASS and later a shutdown is initiated. While
working the Safe Mode, the system was scanned for presence of Sasser and
none was found. A manual check of the Registry and the usual infection
location in the Windows directory shows no sign of infection either.
Click to expand...

This may show where lack of DOS cripples
XP. If you could shell to a DOS box you
could rename LSASS.EXE and reboot, and
later sort out the mess. Your current
software reports (1) Sasser symptoms,
(2) failure to find Sasser virus. It is not
clear why you trust #2 more than #1.
 
R

R. McCarty

Not all Anti-Virus programs catch everything. You didn't mention
which program you use. You can try some of the on-line scans
from the major vendors.
http://housecall.trendmicro.com/housecall/start_corp.asp
http://scan.sygatetech.com/

You can also download the McAfee stand-alone scan tool
Stinger - It scans for a limited number of infections but is fairly
quick to run
http://vil.nai.com/vil/stinger/

Also, Lsass.Exe is a system protected file (SFC). If you delete
or rename the file, XP should trigger an automatic replacement
from the Dllcache or source media.
 
M

Malke

Don said:
This may show where lack of DOS cripples
XP. If you could shell to a DOS box you
could rename LSASS.EXE and reboot, and
later sort out the mess. Your current
software reports (1) Sasser symptoms,
(2) failure to find Sasser virus. It is not
clear why you trust #2 more than #1.
Click to expand...

Actually, this may have nothing to with a lack of DOS - the OP's box may
simply have a newer virus. Korgo and its variants, for instance,
displays the same symptoms as Sasser. Symantec has a new removal tool
available for Korgo, which he could try. Here's the link:

http://www.sarc.com/avcenter/venc/data/w32.korgo.f.removal.tool.html

In fighting today's viruses and spyware, one must update definitions and
programs constantly. With the onset of Sasser, for instance, we were
seeing new virus definitions for additional variants being issued at
least daily.

Malke
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

sasser or new virus? 6
Is it sasser ?? 2
The system process 'C:\WINDOWS\system32\services.exe' terminated u 2
Possible Virus?? HELP 1
not the sasser worm again 3
lsass System Error Object name not found 6
lsass.exe help (might be sasser virus) 5
Sasser Virus!!! 3

Top