Security Basics mailing list archives

Re: Interesting problem

From: "Maktub...it is written" <kirpagulati () hotmail com>
Date: Wed, 9 Jun 2004 01:22:35 +0530
This is definitely a sasser. Just fixed a ditto system of one of my friends.
Get a sasser removal tool and like Roger said, search the memory for
unregistered processes.
    One system I looked up had a weird "technically named" process running
that consumed about 98% of the computer resources while it was idle!!! and
thats not a pretty sight for someone who has just bought a 3.2GHz HT P4. ;-)
    All I did was delete that particular file and whoa...no more shutdowns
and no more problems with lsass.
    BTW Norton is seemingly becoming more ad more incapable of picking up
viruses and/or fixing it and its regularly sent patches dont seem to be
helping a lot.
    I had a lot of problems with my computer too. Ran an AV scan on the
entire computer.not one found. Then someone suggested AVG(which is infact
freeware) and guess what? 43 viruses were picked up!!! And THAT is no joke.
Out of those 7 were backdoors. My system was completely open to  whomever
managed to put it there and I didnt even know.
    Please note that this is only my experience with Norton and is in no
manner being opiniated on in either a positive or negative manner.

I hope this information was useful to you.

-(FaithNEVERholds...you always get deserted along the way.) Kirpa Singh
Gulati

I'm a thief. I am the will of independence; I am the power of persona. I am
the creation of my environment. I am the pursuit of more. I know this,
because I thrive on intelligence.



----- Original Message ----- 
From: "Roger A. Grimes" <roger () banneretcs com>
To: "bob martin" <bobmartin_613 () hotmail com>;
<security-basics () securityfocus com>
Sent: Saturday, June 05, 2004 8:14 AM
Subject: RE: Interesting problem


I'd still be thinking sasser-variant.

Look for the unauthorized executable in memory, and delete.  Review your
Run registry keys and delete the malware.

Roger

************************************************************************
***
*Roger A. Grimes, Computer Security Consultant
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
************************************************************************
****



-----Original Message-----
From: bob martin [mailto:bobmartin_613 () hotmail com]
Sent: Friday, June 04, 2004 1:22 PM
To: security-basics () securityfocus com
Subject: Interesting problem

Hello all,
We're experiencing an odd problem and I was hoping someone may be able
to give some advice.
Many of our computers are popping up lsass errors and reboot 45 seconds
later.  I immediately thought of sasser, but the windows patch is
installed and our virus definitions are up to date.  Norton doesn't pick
up anything when running a full scan.

Any ideas on this?

Thank you in advance.

_________________________________________________________________
MSN Toolbar provides one-click access to Hotmail from any Web page -
FREE download!
http://toolbar.msn.click-url.com/go/onm00200413ave/direct/01/


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.

Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
Current thread:

Interesting problem bob martin (Jun 04)
- Re: Interesting problem Marcos E. Rodriguez (Jun 07)
- Re: Interesting problem RBabb (Jun 07)
- <Possible follow-ups>
- RE: Interesting problem Roger A. Grimes (Jun 07)
  - Re: Interesting problem Maktub...it is written (Jun 11)