Solved

LSA Shell (Export Version)

Posted on 2004-05-02
7
290,073 Views
Last Modified: 2013-12-04
I keep getting a message that there is a problem with LSA Shell (Export Version).  A few minutes later Windows NT shuts down & restarts my computer.  What is the problem?
0
Comment
Question by:kg2199
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 11

Accepted Solution

by:
ghana earned 500 total points
ID: 10974875
This is a new internet Worm (Sasser.A, Sasser.B, Sasser.C). You need to install the MS security patches to be protected against malware exploiting Windows vulnerabilities. In this case you need to install MS04-011:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
0
 
LVL 11

Expert Comment

by:ghana
ID: 10974917
Some additonal explanation about the Sasser worms: In summary this worm and its variants exploit vulnerabilies in operating systems Windows 2000/XP/Server 2003 that do not have the security patch MS04-011 installed. The worm does not use email or websites to infect other computers. It does directly infect a computer that is connected to the internet. As part of the exploit the process LSASS.EXE may crash wich can cause the visible symptom with the message about LSA Shell (Export Version).

To remove Sasser from your system you can use the removal descriptions in the links mentioned below. Or you can use an automated recovery tool like McAfee's Stinger or Trend Micro's Damage Cleanup Services (DSC):
Stinger: http://vil.nai.com/vil/stinger
DSC: http://www.trendmicro.com/download/dcs.asp

To prevent similar problems in the future I would recommend to protect internet connected computers with all available MS-patches. MBSA 1.2 (Microsoft Baseline Security Analyzer) is a free application that is able to check your computer whether all necessary patches are installed or not. If not it will list these patches. In addition there will be a link to the corresponding security bulletin where you can download the patch. Running MBSA once a week will make sure that your computer is up to date.

Link to MBSA: http://support.microsoft.com/?kbid=320454

Virus descriptions about Sasser.A:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012
McAfee: http://vil.nai.com/vil/content/v_125007.htm
Sophos: http://www.sophos.com/virusinfo/analyses/w32sassera.html
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A


Virus descriptions about Sasser.B:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021
McAfee: http://vil.nai.com/vil/content/v_125008.htm
Sophos: http://www.sophos.com/virusinfo/analyses/w32sasserb.html
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B


Virus descriptions about Sasser.C:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39025
McAfee: http://vil.nai.com/vil/content/v_125009.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.C

0
 
LVL 1

Expert Comment

by:cubicleslave
ID: 11061967
The new version (variant) of this virus is known as Sasser.F; visit the link to Trend Micro for more info:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.F
(its new, since the last post by ghana)

Either the Trend Micro or Symantec removal tools for Sasser should do the trick.  Or you can download and run the latest version of Microsoft's removal tool for Sasser...
Link to Microsoft page for Sasser Worm Removal Tool:
http://www.microsoft.com/downloads/details.aspx?familyid=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en


You may also want to check for the Gaobot/Agobot virus as well; it frequently scans for systems that are RPC-vulnerable (or already are infected with Sasser virus).  There are two new versions of Agobot out and about, and they frequently can be found on a system already infected with Sasser.  The Symantec removal tool for Gaobot might help, but it does not search for all known variants of Gaobot.  I would recommend following the Trend Micro instructions for detecting and removing Gaobot, which you can view here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GN
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.TT

Hope this helps.




0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Expert Comment

by:vadlapatis
ID: 11074244
hey this works out !!!!!!

I-Worm/Sasser
This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011. This worm has some new variants from the saturday first catch.

go to the link

http://www.grisoft.com/us/us_ts_removers.php

download i-worm/sasser removal tool

then donload micro soft patch from

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

then switch to safe mode and execute removal tool it removes the sasser.exe files then restart  get boot in to normal mode and load patch file download from microsoft site ur pc will be alright

be careful while download check patch that siutes ur OS
0
 

Expert Comment

by:unthony
ID: 11109506
hey,

im having the same problem but i can't seem to activate any of ur anti-sassers.
every now and then, a box appears telling me that there is a problem in the LSA Shell (Export Version) and in few minutes, another box telling me that the windows will shut down and a one minute timer ticks, if i don't do anything it DOES shutdown...
i only figured how to stop the timer and shuting down but not how to fix the whole problem.
if you could help me, i would really appreciate it.

anthony
0
 

Expert Comment

by:rphukan
ID: 11846938
Disconnect the network cable.
enable the windows xp firewall.
disable system restore.
boot to safe mode.
download and scan for the virus using stinger.
0
 

Expert Comment

by:slam2
ID: 12649380
to disable the shutdown:

click start
click run
type shutdown /a
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
OfficeMate Freezes on login or does not load after login credentials are input.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question