Solved

LSA Shell (Export Version)

Posted on 2004-05-02
7
289,964 Views
Last Modified: 2013-12-04
I keep getting a message that there is a problem with LSA Shell (Export Version).  A few minutes later Windows NT shuts down & restarts my computer.  What is the problem?
0
Comment
Question by:kg2199
7 Comments
 
LVL 11

Accepted Solution

by:
ghana earned 500 total points
ID: 10974875
This is a new internet Worm (Sasser.A, Sasser.B, Sasser.C). You need to install the MS security patches to be protected against malware exploiting Windows vulnerabilities. In this case you need to install MS04-011:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
0
 
LVL 11

Expert Comment

by:ghana
ID: 10974917
Some additonal explanation about the Sasser worms: In summary this worm and its variants exploit vulnerabilies in operating systems Windows 2000/XP/Server 2003 that do not have the security patch MS04-011 installed. The worm does not use email or websites to infect other computers. It does directly infect a computer that is connected to the internet. As part of the exploit the process LSASS.EXE may crash wich can cause the visible symptom with the message about LSA Shell (Export Version).

To remove Sasser from your system you can use the removal descriptions in the links mentioned below. Or you can use an automated recovery tool like McAfee's Stinger or Trend Micro's Damage Cleanup Services (DSC):
Stinger: http://vil.nai.com/vil/stinger
DSC: http://www.trendmicro.com/download/dcs.asp

To prevent similar problems in the future I would recommend to protect internet connected computers with all available MS-patches. MBSA 1.2 (Microsoft Baseline Security Analyzer) is a free application that is able to check your computer whether all necessary patches are installed or not. If not it will list these patches. In addition there will be a link to the corresponding security bulletin where you can download the patch. Running MBSA once a week will make sure that your computer is up to date.

Link to MBSA: http://support.microsoft.com/?kbid=320454

Virus descriptions about Sasser.A:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012
McAfee: http://vil.nai.com/vil/content/v_125007.htm
Sophos: http://www.sophos.com/virusinfo/analyses/w32sassera.html
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A


Virus descriptions about Sasser.B:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021
McAfee: http://vil.nai.com/vil/content/v_125008.htm
Sophos: http://www.sophos.com/virusinfo/analyses/w32sasserb.html
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B


Virus descriptions about Sasser.C:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39025
McAfee: http://vil.nai.com/vil/content/v_125009.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.C

0
 
LVL 1

Expert Comment

by:cubicleslave
ID: 11061967
The new version (variant) of this virus is known as Sasser.F; visit the link to Trend Micro for more info:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.F
(its new, since the last post by ghana)

Either the Trend Micro or Symantec removal tools for Sasser should do the trick.  Or you can download and run the latest version of Microsoft's removal tool for Sasser...
Link to Microsoft page for Sasser Worm Removal Tool:
http://www.microsoft.com/downloads/details.aspx?familyid=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en


You may also want to check for the Gaobot/Agobot virus as well; it frequently scans for systems that are RPC-vulnerable (or already are infected with Sasser virus).  There are two new versions of Agobot out and about, and they frequently can be found on a system already infected with Sasser.  The Symantec removal tool for Gaobot might help, but it does not search for all known variants of Gaobot.  I would recommend following the Trend Micro instructions for detecting and removing Gaobot, which you can view here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GN
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.TT

Hope this helps.




0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Expert Comment

by:vadlapatis
ID: 11074244
hey this works out !!!!!!

I-Worm/Sasser
This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011. This worm has some new variants from the saturday first catch.

go to the link

http://www.grisoft.com/us/us_ts_removers.php

download i-worm/sasser removal tool

then donload micro soft patch from

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

then switch to safe mode and execute removal tool it removes the sasser.exe files then restart  get boot in to normal mode and load patch file download from microsoft site ur pc will be alright

be careful while download check patch that siutes ur OS
0
 

Expert Comment

by:unthony
ID: 11109506
hey,

im having the same problem but i can't seem to activate any of ur anti-sassers.
every now and then, a box appears telling me that there is a problem in the LSA Shell (Export Version) and in few minutes, another box telling me that the windows will shut down and a one minute timer ticks, if i don't do anything it DOES shutdown...
i only figured how to stop the timer and shuting down but not how to fix the whole problem.
if you could help me, i would really appreciate it.

anthony
0
 

Expert Comment

by:rphukan
ID: 11846938
Disconnect the network cable.
enable the windows xp firewall.
disable system restore.
boot to safe mode.
download and scan for the virus using stinger.
0
 

Expert Comment

by:slam2
ID: 12649380
to disable the shutdown:

click start
click run
type shutdown /a
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now