Is this "Sasser" at work?

Donny Hinson · Post by **Donny Hinson** » 13 May 2004 7:49 am

A relative of mine (not nearby) called to tell me his brand new computer is shutting down when he tries to log onto the net. He's getting an error message something like this...

"This shutdown was initiated by NT/authority/system

in system process
c/windows/system32/sass.exe
status code 1073741879..."

Does this mean he has the "sasser worm"?

Can I download the FxSasser from Symantec onto a disc, and then run it on his computer? (Since I obviously won't be able to do any downloading on his computer until the problem is corrected.)

Thanks in advance.

Ray Minich · Post by **Ray Minich** » 13 May 2004 8:03 am

Yes, unfortunately, it's caused by Sasser or one of it's variants. I've worked on 3 Sasser victims in the past two weeks.

The LSASS service (process) in the operating system is being hit.

Go to symantec.com for removal instructions. Run the FxSasser & also check for the other symptoms discussed. Also you will have to upload the Windows Critical Updates from Microsoft for the OS to stop it from reoccurring.

One more thing, in the past 2 weeks I have also seen the LSASS subsystem shut a networked computer down, but the computer was not infected. Don't know what's going on there...[This message was edited by Ray Minich on 13 May 2004 at 09:05 AM.][This message was edited by Ray Minich on 13 May 2004 at 02:40 PM.]