From: "Peter Foldes" <okf22@hotmail.com>
| Crossposted to the microsoft.public.security.virus
| --
| Peter
| Please Reply to Newsgroup for the benefit of others
| Requests for assistance by email can not and will not be acknowledged.
| "LauraW." <LauraW..3ia4zc@DoNotSpam.com> wrote in message
| news:LauraW..3ia4zc@DoNotSpam.com...
>> I have a customer who's server I manage that is also having this issue.
>> OS is 2003 R2 Enterprise Ed., SP2. After deep investigation, we found
>> that the Sasser worm or it's variants seem to be at the heart of this
>> matter, however I am unable to find any of the tell-tale .exe files (and
>> there are several) or registry entries. We have not installed the
>> Microsoft patch (the customer has not given their consent even after
>> letting them know this is will help). Much like the other posters, the
>> reboots are random with no pattern. I just had one happen about 2 hours
>> ago for the first time in a few weeks.
>> They are running ESET NOD32 Antivirus and are firewalled via an
>> appliance (not software). We see events in both the Application AND
>> System Event Viewer Logs. The following are snippets of the logs
>> entries:
>> _From_System_Logs:_
>> Event Type: Error
>> Event Source: LsaSrv
>> Event Category: Security Package Manager
>> Event ID: 5000
>> Date: 11/2/2008
>> Time: 7:16:47 PM
>> User: N/A
>> Computer: XXXXXXXXX
>> Description: The security package Microsoft Unified Security Protocol
>> Provider generated an exception. The exception information is the
>> data.
>> Event Type: Information
>> Event Source: USER32
>> Event Category: None
>> Event ID: 1074
>> Date: 11/2/2008
>> Time: 7:17:22 PM
>> User: NT AUTHORITY\SYSTEM
>> Computer: XXXXXXXXXX
>> Description: The process winlogon.exe has initiated the restart of
>> computer XXXXXXXXX on behalf of user for the following reason: No title
>> for this reason could be found
>> Reason Code: 0x50006
>> Shutdown Type: restart
>> Comment: The system process 'C:\WINNT\system32\lsass.exe' terminated
>> unexpectedly with status code -1073741819. The system will now shut
>> down and restart.
>> _Application_Logs:_
>> Event Type: Error
>> Event Source: Application Error
>> Event Category: (100)
>> Event ID: 1000
>> Date: 11/2/2008
>> Time: 7:16:50 PM
>> User: N/A
>> Computer: XXXXXXXXX
>> Description: Faulting application lsass.exe, version 5.2.3790.0,
>> faulting module crypt32.dll, version 5.131.3790.3959, fault address
>> 0x0001ec50.
>> Event Type: Error
>> Event Source: Winlogon
>> Event Category: None
>> Event ID: 1015
>> Date: 11/2/2008
>> Time: 7:17:21 PM
>> User: N/A
>> Computer: XXXXXXXXXX
>> Description: A critical system process, C:\WINNT\system32\lsass.exe,
>> failed with status code c0000005. The machine must now be restarted.
>> I am starting to wonder if this is a new variant? Last variant was in
>> 2007, but like I said previously, I find none of the tell tale .exe
>> files or the registry entries which makes me wonder. Anyone have any
>> more info or any similar instances?
>> Also for those who want to dig, I found this link helpful in checking
>> the server, so it might help others who aren't in the same situation as
>> myself:
>> http://ask-leo.com/what_are_lsass_ls...f_im_infected_
>> what_do_i_do_if_i_am.html
>> --
>> LauraW.
>> ------------------------------------------------------------------------
>> LauraW.'s Profile: http://forums.techarena.in/members/lauraw-.htm
>> View this thread: WINDOWS SERVER 2003
>> http://forums.techarena.in
I don't know where this came from BUT...
It is not the Sasser Worm.
If this is a new post that was placed here, chances are it is the new worm/bot exploiting
MS08-067 which will exploit TCP port 445 just like the Sasser worm did.
http://isc.sans.org/diary.html?storyid=5275
http://www.us-cert.gov/current/index...osoft_ms08_067
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Reply With Quote
Bookmarks