Is it a Sasser worm?

TheMSsForum.com: The Microsoft Software Forum

Hi all.

Yesterday I started a shutdown of my server. It hanged for a while,
then it displayed this message:

(...)
The system process 'C:\WINNT\system32\lsass.exe' terminated
unexpectedly with status code 128. The system will now shut down and
restart.

So it seems there is a Sasser infection.

But there are some points:
- The server is a Windows 2000 Server SP4 OS. The sasser patch,
KB835732, is installed since year 2004
- Security rollup and other hotfixes are installed, too
- the antivirus software running on the server is up to date and it did
not found any virus
- the server is not connected with the Internet
- there is not other evidence of this virus (registry key, avserve.exe,
win.log, ecc.)

So, what is happening?
A new sasser variant?
Another infected computer on the LAN is trying to infect the server?
Or maybe this message is not always caused by this virus?

Thank You.
Top

RE: Is it a Sasser worm? by Chris

Chris
Thu Nov 16 11:58:02 CST 2006

It is no sasser. Sasser would shut down your machine once it accessed the
internet. lsass.exe is an executable that runs on win2k and up. When you
were shutting down the machine that process errored out. So you're not
infected with sasser. You can probably search google with the error message
if you get it again. But it just sounds like when the machine was shutting
down it just had a hard time closing that service.

"TT" wrote:

> Hi all.
>
> Yesterday I started a shutdown of my server. It hanged for a while,
> then it displayed this message:
>
> (...)
> The system process 'C:\WINNT\system32\lsass.exe' terminated
> unexpectedly with status code 128. The system will now shut down and
> restart.
>
> So it seems there is a Sasser infection.
>
> But there are some points:
> - The server is a Windows 2000 Server SP4 OS. The sasser patch,
> KB835732, is installed since year 2004
> - Security rollup and other hotfixes are installed, too
> - the antivirus software running on the server is up to date and it did
> not found any virus
> - the server is not connected with the Internet
> - there is not other evidence of this virus (registry key, avserve.exe,
> win.log, ecc.)
>
> So, what is happening?
> A new sasser variant?
> Another infected computer on the LAN is trying to infect the server?
> Or maybe this message is not always caused by this virus?
>
> Thank You.
>
>
Top

Re: Is it a Sasser worm? by TT

TT
Thu Nov 16 12:20:56 CST 2006


Thank You, Chris

Top

Re: Is it a Sasser worm? by Chris

Chris
Thu Nov 16 13:02:01 CST 2006

You're welcome, happy to help.

"TT" wrote:

>
> Thank You, Chris
>
>
Top