Jump to content

Recommended Posts

  Lsass.exe Referenced Memory Error is commonly caused by the Sasser worm, a malware that infects Windows-based systems. This worm sneaks in through a Windows’ security vulnerability and attacks using the lsass.exe file, which is connected to the Local Security Authority in Windows. The lsass.exe error message caused by the Sasser worm claims that a file could not be written to the referenced memory block and then crashes the computer.

 

Shut Down
  • After stating that there is a problem with Referenced Memory, the Sasser worm shuts the computer down within 60 seconds. Work quickly to stop the shutdown by opening the Start menu and type “shutdown –a” in the Run Command box. Hit “OK” and the reboot is aborted. If the worm beats you to the reboot, then restart the computer and tap F8 until the menu for the Advanced Startup Options appears. If the Windows splash screen appears, then the computer did not read the F8 key press and you will have to try again. When you arrive at the Advanced Startup Options menu, choose “Last known good configuration” and let the computer start up.

Virus Protection

  • Update your antivirus program with the newest virus definitions and scan your computer. The antivirus program will find a Trojan virus with an odd name. Remove the found threat and keep the antivirus updated. Run the scanner at least once a week or whenever something odd happens. The Sasser worm may block your access to antivirus websites, so updating your antivirus program can be a problem.

Unblocking Antivirus Sites

  • By the time the Sasser worm shows the lsass.exe error, it has most likely created bogus URL entries for antivirus websites. This is an attempt to stop the removal of the worm. Check for fake entries by typing “Notepad \windows\system32\drivers\etc\hosts” in the "Search programs and files" text field that appears when you press the Start button. Press “OK” to get the results. A healthy PC will only show information on the “localhost,” whereas the Sasser worm writes a large list with antivirus websites to this file. Close Notepad and open the directory containing the “hosts” file. Right click the file and rename it to “oldhosts.” In the "Search programs and files" text field type “nbtstat –R” and press “OK.” The window will flash and you will have access to the antvirus websites until the computer reboots.

Prevention

  • Patch the security breech once the Sasser worm is removed. Open the Microsoft Security Bulletin MS04-011 and run the patch for your version of Windows. This will prevent reinfection by the Sasser worm and the reappearance of the lsass.exe error. Use a firewall to stop unauthorized changes to your computer. A firewall blocks threats like the Sasser worm that are not email based . Turn on the built-in firewall in Windows or install one that is purchased or free from the Internet. Only install a firewall that you are sure is not malware in disguise.

 

 

Share this post


Link to post
Share on other sites

×
×
  • Create New...