Return to: OIT Home : U of M Home
 
 
     
         
     
Gold University of Minnesota M. Skip to main content. University of Minnesota. Home page. One Stop | Directories | Search U of M
     
             
     
Tech Talk logo. Link to home page.
About the Show
Show Schedule
Episodes
Tech Terms
Viewer Questions
 

  • Season 5
  • Season 4
  • Season 3
  • Season 2
  • Season 1

    • Podcasts
    		 
    submit feedback | contact us |
    		  &nbsp  
     
    Tech Talk Home>>Viewer Questions>>Season 2>>

    Sasser Worm

    On this page:
  • Question
  • Answer
    		•
     
      &nbsp    

    Question

    Recently my computer (Windows XP operating system) has been coming up with a warning saying that LSA Shell (Export Version) has encountered a problem. Soon after another window will pop up on the screen saying that my system will need to shut down in one minute. The window says that the initiator of this was NT Authority/System, and was located in C:/WINDOWS/system32/lsass.exe. I have heard about the Sasser virus that is now out, and have tried many anti-virus tools and patches to get rid of it, and nothing has worked. These windows popping up only happen when I am online and it has also effected my MSN Messenger passwords, saying that my passwords are not valid. Some things I have tried are the worm removal tools from Symantec, and starting my computer in Safe Mode. I have thought about bringing it in to get worked on, but am using that as a last resort. If you have any information on what I can do, please contact me ... it would be greatly appreciated.

    --Anne Marie, Maple Lake, MN

    Answer

    A "Tech Talk" staff member responded:

    Thank you for your e-mail.

    If this is only happening when you are on the Internet, you should first enable the XP firewall to prevent yourself from getting infected again when you go back online.

    Now you need to update your machine. This, however, requires that you connect to the Internet to do so, and your computer will restart itself. What you can do is before going online, go to Start->Run... and type "shutdown -a" without the double quotes and don't click OK. Go on the Internet, and when the auto shutdown message appears, click on the OK button for the Run... command. This will cancel the shutdown.

    Now you can continue on to get rid of the virus and patch your computer. I'd recommend removing the virus before installing the patch; you can restart after removing it and won't have to worry about the forced shut downs. Symantec's removal tool doesn't require the patch be installed first so I'd use that one. Then Windows Update everything and you should be ok.

    So lots of talk into quick steps:

    1. Firewall the machine.
    2. Go on the Internet and stop the auto shutdown.
    3. Remove the virus.
    4. Restart.
    5. Install all patches Windows Update says to install.

    This should remove the virus and protect you from future infections. Microsoft has a Web site that deals specifically with the Sasser worm at http://www.microsoft.com/security/incident/sasser.asp--take particular note of the instructions for using the removal tool. It won't work if you have not installed a particular Windows update, and may also have problems running if your security settings are too high.

    Another source of information is the Symantec's detailed manual removal instructions at http://securityresponse.symantec.com/avcenter/venc/data/ w32.sasser.b.worm.html. Please note I urge extreme caution on this--if you do not follow the directions exactly you could end up doing more harm than good. Therefore, if you feel at all unsure about doing this on your own, I would definitely suggest bringing your computer into a repair shop.

    Once you're back up and running, don't forget to continue to update your antivirus definitions and run the Windows critical updates on a regular basis.

    Good luck!

    		 
     
         		   &nbsp  
             
         
     
     
     
     
    ©2007 by the Regents of the University of Minnesota. All rights reserved. Trouble seeing the text? | Contact U of M | Privacy
     
    The University of Minnesota is an equal opportunity educator and employer. Permissions and Copyright Information

    Page updated Friday, 16-Sep-2005 10:20:28 CDT.