The confusion lies in letter case. There is Lsass.exe, which is a legitimate
Windows file... and Isass.exe... which is not. It's added as a result of a
trojan [in lower case... lsass (good) and isass (bad)]. If you conduct a
file search in Windows XP of C: drive for "Lsass.exe" the results will show
"lsass.exe" located at C:\WINDOWS\system32 and in the service pack files if
you have SP1 installed. What you are seeing in Windows Task Manager is
"Lsass.exe" with a lower case "L".

Check the Microsoft security page "What You Should Know About the Sasser
Worm". Under the heading 'Actions to Take Now', the third action listed is:
Automatically Check For and Remove Sasser.
http://www.microsoft.com/security/incident/sasser.mspx

Other links for more information:

Black Viper's Windows XP Home and Professional Service Pack 1 Service
Configurations: lsass.exe
http://snipurl.com/8sb1

Google Search Isass.exe
http://www.google.com/search?hl=en&ie=UTF-8&q=Isass.exe

Trend Micro: TROJ_ISAPASS.A - Description and solution
http://snipurl.com/8sa3

Trend Micro - Free online virus Scan
http://housecall.trendmicro.com/

Sven Swanson, Sr.

----- Original Message -----
From: "a fennell" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Tuesday, August 31, 2004 6:41 PM
Subject: Re: [PCSOFT] Sasser Worm?


  The Isass.exe file does show up as a process in task manager (I am updated
except for SP2) and I run a hardware firewall, zone alarm, spywareblaster,
spybot, adaware, and Norton Anti-virus.  Online scans indicate all my ports
are stealthed and that my PC is invisible to the internet.

  I went to the website suggested below
http://www.onlinepcfix.com/virushelp/sasser.htm
  and it is a site wanting to sell a fix for the sasser worm for $24.
Shouldn't Symantec have a free fix if its protection allowed this in?

  Spybot and AdAware say I have no malware (yet there is Isass.exe).

  I don't know what to do.

  Ann Fennell

----- Original Message -----
From: Paul J. Traynor
To: [log in to unmask]
Sent: Sunday, August 22, 2004 6:55 AM
Subject: Re: [PCSOFT] Sasser Worm?

Hi,

I'll bet if you look under the hood so to speak by using something like
task manager or a third party utility for showing up processes running
you might just see something in that list called "lsass.exe" which might
point to the culprit.

Paul.

-----Original Message-----
From: PCSOFT - Personal Computer software discussion list
[mailto:[log in to unmask]] On Behalf Of Tom Mayer
Sent: 20 August 2004 17:06
To: [log in to unmask]
Subject: Re: [PCSOFT] Sasser Worm?

Here is some information that might help:

http://www.onlinepcfix.com/virushelp/sasser.htm

Tom Mayer

I have been trying to help a retired fellow with his computer woes.  His
machine runs fine until he logs onto his ISP, then it will shut down
within minutes.  The error message has to do with lsass.exe, and the
windows displayed conform exactly to those with a Sasser worm problem.
Yet, we can find no worm!  Symantec's tool to remove the worm finds none
existing.  A Norton's AV scan says his machine is clean.  None of
Microsoft's list of processes that are indicative of the worm are
running on his machine.

Any tips?  Could this be other than a Sasser Worm?

Thanks for any help.

Gordon

                Curious about the people moderating your
                   messages? Visit our staff web site:
                    http://freepctech.com/staff.shtml