Solved

LSA Shell (Export Version)

Posted on 2004-05-02
7
290,113 Views
Last Modified: 2013-12-04
I keep getting a message that there is a problem with LSA Shell (Export Version).  A few minutes later Windows NT shuts down & restarts my computer.  What is the problem?
0
Comment
Question by:kg2199
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 11

Accepted Solution

by:
ghana earned 500 total points
ID: 10974875
This is a new internet Worm (Sasser.A, Sasser.B, Sasser.C). You need to install the MS security patches to be protected against malware exploiting Windows vulnerabilities. In this case you need to install MS04-011:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
0
 
LVL 11

Expert Comment

by:ghana
ID: 10974917
Some additonal explanation about the Sasser worms: In summary this worm and its variants exploit vulnerabilies in operating systems Windows 2000/XP/Server 2003 that do not have the security patch MS04-011 installed. The worm does not use email or websites to infect other computers. It does directly infect a computer that is connected to the internet. As part of the exploit the process LSASS.EXE may crash wich can cause the visible symptom with the message about LSA Shell (Export Version).

To remove Sasser from your system you can use the removal descriptions in the links mentioned below. Or you can use an automated recovery tool like McAfee's Stinger or Trend Micro's Damage Cleanup Services (DSC):
Stinger: http://vil.nai.com/vil/stinger
DSC: http://www.trendmicro.com/download/dcs.asp

To prevent similar problems in the future I would recommend to protect internet connected computers with all available MS-patches. MBSA 1.2 (Microsoft Baseline Security Analyzer) is a free application that is able to check your computer whether all necessary patches are installed or not. If not it will list these patches. In addition there will be a link to the corresponding security bulletin where you can download the patch. Running MBSA once a week will make sure that your computer is up to date.

Link to MBSA: http://support.microsoft.com/?kbid=320454

Virus descriptions about Sasser.A:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39012
McAfee: http://vil.nai.com/vil/content/v_125007.htm
Sophos: http://www.sophos.com/virusinfo/analyses/w32sassera.html
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A


Virus descriptions about Sasser.B:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021
McAfee: http://vil.nai.com/vil/content/v_125008.htm
Sophos: http://www.sophos.com/virusinfo/analyses/w32sasserb.html
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B


Virus descriptions about Sasser.C:
CA: http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39025
McAfee: http://vil.nai.com/vil/content/v_125009.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.C

0
 
LVL 1

Expert Comment

by:cubicleslave
ID: 11061967
The new version (variant) of this virus is known as Sasser.F; visit the link to Trend Micro for more info:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.F
(its new, since the last post by ghana)

Either the Trend Micro or Symantec removal tools for Sasser should do the trick.  Or you can download and run the latest version of Microsoft's removal tool for Sasser...
Link to Microsoft page for Sasser Worm Removal Tool:
http://www.microsoft.com/downloads/details.aspx?familyid=76C6DE7E-1B6B-4FC3-90D4-9FA42D14CC17&displaylang=en


You may also want to check for the Gaobot/Agobot virus as well; it frequently scans for systems that are RPC-vulnerable (or already are infected with Sasser virus).  There are two new versions of Agobot out and about, and they frequently can be found on a system already infected with Sasser.  The Symantec removal tool for Gaobot might help, but it does not search for all known variants of Gaobot.  I would recommend following the Trend Micro instructions for detecting and removing Gaobot, which you can view here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.GN
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_AGOBOT.TT

Hope this helps.




0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Expert Comment

by:vadlapatis
ID: 11074244
hey this works out !!!!!!

I-Worm/Sasser
This worm spreads by internet exploiting MS Windows LSASS service vulnerability described in MS Security Bulletin MS04-011. This worm has some new variants from the saturday first catch.

go to the link

http://www.grisoft.com/us/us_ts_removers.php

download i-worm/sasser removal tool

then donload micro soft patch from

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

then switch to safe mode and execute removal tool it removes the sasser.exe files then restart  get boot in to normal mode and load patch file download from microsoft site ur pc will be alright

be careful while download check patch that siutes ur OS
0
 

Expert Comment

by:unthony
ID: 11109506
hey,

im having the same problem but i can't seem to activate any of ur anti-sassers.
every now and then, a box appears telling me that there is a problem in the LSA Shell (Export Version) and in few minutes, another box telling me that the windows will shut down and a one minute timer ticks, if i don't do anything it DOES shutdown...
i only figured how to stop the timer and shuting down but not how to fix the whole problem.
if you could help me, i would really appreciate it.

anthony
0
 

Expert Comment

by:rphukan
ID: 11846938
Disconnect the network cable.
enable the windows xp firewall.
disable system restore.
boot to safe mode.
download and scan for the virus using stinger.
0
 

Expert Comment

by:slam2
ID: 12649380
to disable the shutdown:

click start
click run
type shutdown /a
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
OfficeMate Freezes on login or does not load after login credentials are input.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question