Bugtraq mailing list archives
Re: Sasser variant that effects 2k3 SP1 completely updated?
From: "Robert J. Stull" <Stull_Robert_J () cat com>
Date: Wed, 15 Mar 2006 15:20:43 -0500
This was already discussed in a different thread, here is Microsofts take
on what was happening:
Drew,
I work for Microsoft doing support for incidents such as this. My support
group is not aware of any such issues.
The error code -1073741819 is an access violation. An access violation, if
unhandled by the service's code, would cause the service to be terminated.
If an access violation occurs in a service that is required for the OS to
run, the termination of the service would cause the machine to reboot.
(That's an oversimplified explanation.)
Please open a support case with Microsoft so that we can get this issue
properly troubleshooted (troubleshot?). If you would like, you may email
me privately and I'll open a support case and work with you on this.
-Matt
Matthew.Mucker () microsoft com
2 days later, I received this email from Microsoft Matt:
Drew and I worked on this problem in a private email thread.
It currently appears as though his issue is being caused by a
non-Microsoft application. I've encouraged Drew to work with the
application vendor to determine the cause of the problem.
I'm not going to name names until we're sure that we've properly
identified the cause of the problem; I don't want to jump to conclusions
and put a dent in someone's reputation.
Hope this helps you.
R. James Stull
Network Administrator
Caterpillar, Lafayette Engine Center
Phone - 765.448.2356
Email - stullrj () cat com
"Andrew Weaver"
<aweaver () ee net>
03/13/2006 02:06 To
PM To
<bugtraq () securityfocus com>
cc
Subject
Sasser variant that effects 2k3 SP1
completely updated?
Caterpillar: Confidential Green Retain Until: 04/14/2006
Retention Category: G90 -
General
Matters/Administration
Has anyone seen a sasser variant that effects Windows 2k3 SP1?
We have started seeing servers exhibiting the exact same effects that
sasser had back when it was "all the rage" that are completely patched to
the latest "Windows Update" spec before ever touching the non firewalled
internet. Our firewall is about as restrictive as possible.
There are two errors which are similar which evoke the "reboot of death" I
have been seeing these again since Saturday.
"Shutdown was initiated by NT AUTHORITY\SYSTEM
C:\Windows\SYSTEM32\services.exe Status Code -1073741819"
I shortened the above error message, but the perinent parts are there, I
also noticed that sometimes it is lsass and sometimes it is services.exe.
Also, we use ghost to install our operating system, and our ghost image is
current up to the last windows update patch, and I have verified that
sasser
is not on our ghost image.
Has anyone seen anything similar?
Thanks,
Andrew
Current thread:
- Sasser variant that effects 2k3 SP1 completely updated? Andrew Weaver (Mar 15)
- Re: Sasser variant that effects 2k3 SP1 completely updated? Robert J. Stull (Mar 15)