What is the LSASS.EXE that I found on my Windows machine? Is it dangerous? I keep hearing about the Sasser worm, is this it?
Thank you,
Wormy
—
Dear Wormy,
The file you have found, LSASS.EXE, is the Local Security Authentication Server, which actually belongs on your PC! This is a program created by Microsoft, as part of your Windows package, which confirms that users who log on to your PC have authority to do so. If the user is authenticated, LSASS.EXE creates a unique token which is assigned to that user, and other programs and processes run by that user receive the same token.
Unfortunately, LSASS.EXE had a rather serious vulnerability, for which Microsoft issued a patch last year. More unfortunately, many many users have not patched their version of LSASS.EXE, leaving their computers open to being exploited by any number of worms and viruses created specifically to take advantage of the LSASS vulnerability.
The most notorious of these worms is the infamous Sasser worm, created by a teenager in Germany. The Sasser worm wreaked thousands of dollars worth of damage around the world, and its young author, Sven Jaschan, was recently convicted for his crime.
If you have not patched your LSASS.EXE, you should do so immediately. The patch is available here.
LSASS.EXE legitimately resides in c:\windows\System32 folder; if you find other files called LSASS.EXE elsewhere, you should consider them suspicious.
There is more information about the Sasser worm, and about its young German author, Sven Jaschan, available at The Internet Patrol.