View Full Version : Sasser

18-06-2004, 10:57 PM
Trying to be real quick here as probably will disconnect shortly.
Sasser Virus shuts me down. When I run the fix it says I don't have it ???? lsass.exe.mot + appcompat.txt is what it says on the details on the bit where it says do u want to send details to Microsoft.
When I do ctrl/alt/delete Lsass.exe is right there in my processes.

Very confused - its shutting me down now darn.

18-06-2004, 11:22 PM
Click Start
shutdown /a

This will stop the shutdown!

From there, you can now go and google for:
dcpromo log sasser

Then goto grisoft.com and get AVG 6 Free Edition and remove the Virus.

Now, goto Windowsupdate.microsoft.com and patch your PC :-)

Jim B
18-06-2004, 11:28 PM
If you can get to another computer download the removal tool and save it to a floppy and then run it on the infected computer.
Download from this link here (http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html)

Or you could try this

If you are running Windows 2000 or XP, and have not yet done so, you must patch for the vulnerability described in Microsoft Security Bulletin MS04-011. If you do not, it is likely that your computer will continue to be re-infected.

What to do if the computer shuts down before you can patch or get the tool
This threat can cause Windows to keep shutting down and restarting. This can prevent you from installing the Microsoft patch or downloading the tool described below. To prevent the shut down, do the following. (You may have to try this several times, as you only have about 20 seconds to do steps 3 to 6.) (This will not work on Windows 2000.)

1. Disconnect the computer from the network/Internet connection. (Disconnect the cable if necessary.)
2. Restart the computer.
3. As soon as Windows opens and you see the Windows desktop, click Start > Run.
4. Type:


and press Enter.

5. Type:

shutdown -i

and press Enter.

6. In the Remote Shutdown Dialog that opens, do the following:

Click Add and type your computer name into the appeared window. Then click OK.
In the "Display warning for <number of seconds> Seconds" field, type 9999 in place of the default value of 20.
Type any message in the Comment box.
Click OK.
7. Reconnect the network/Internet connection.
8. Connect to the Internet, and get the patch. Then continue with the steps described below.

This gives you about three hours to get the patch installed, update the definitions, and so on.

When you have patched for and removed the threat, you can re-enable the 20-second default warning if you want to.

19-06-2004, 01:33 AM
Just for the record, if you run:
shutdown /a
on the PC that is being shut down, it will abort the shutdown process, giving you as long as you like (Sometimes Dial-up can be a ***** ;-)).

Just makes life a little easier if you're not on a LAN :D

19-06-2004, 11:00 AM
Sometimes I can stay on linine for 30mins or more.
How do I know which version of Sasser I have. Remember I have already run the fixit tool and it says I haven't got the virus so it wont fix what isn't broke. Very confusing

Jim B
19-06-2004, 11:28 AM
It may not be Sasser you have as there are others that use the LSASS exploit such as W32.Kibuv.Worm.

First make sure you have the MS patch to avoid getting reinfected.

Update you anti-virus and do a full system scan or got to this link and do an online scan.

Try downloading and running Stinger which removes most of the common viruses.