Slammed by the SASSER?

[Monte Schmeiser <MSchmeiser () MARYMOUNTPV EDU>]

I am stumped.  Our network has been slammed by a virus for the last two
days.  It is wreaking havoc. We have not been able to zero in on the
source and I would like ANY advice anyone could give us.  I apologize
for the length of this email but want to give as much info as possible.
 
Our Network
Hardware-based firewall
Switched Network
200 workstation running Windows XP Professional
External DNS server running Windows NT
Internal DNS server running Windows 2000
Backup internal DNS server running Windows 2000
Active Directory server running Windows 2000
Backup Acitve Directory server running Windows 2000
Exchange 2000 Email server w\SP3
Novell 5.0 file server
Web Server running IIS 5.0
SQL Server 2000
 
Day One (morning)
Help desk calls began coming in with people reporting that when
attempting to log into the network (Novell) they were either getting an
error (Windows unspecified error) or they could log in but once they
did, they would get a countdown popup saying their system would shut
down in 60 seconds.
 
Our web server was getting slammed by a "generic denial of service"
attack.  This was reported by our entercept HIDS software.  This server
is the only one on our network that is open to HTTP traffic via our
firewall.  EVERYTHING else is locked down from the outside world except
for our email server.
 
By the symptoms we concluded that we were dealing with the Sasser worm.
What was confusing was that we are running Symantec Corporate antivirus
and all of our workstations were up to date as far as definitions go.
If it was the worm, why was Symantec not catching it?
We had our users shut down their workstations.  We noticed that our
internal backup DNS server's LSASS.EXE service was running very high CPU
levels.  So we shut it down.
We shut down our IIS server.
 
The servers running AD were also getting slammed which was then causing
our Exchange server to hang.  We decided to bring everything down. 
 
We then went one by one through our servers and scanned each one.
We started the task of cleaning up workstations across campus.  We were
also seeing numerous machines infected with the worm.32 virus.  We do
not have patch management software.  We began patching our systems with
the microsoft vulnerability patch for LSASS.
We were able to bring our systems online last night.
 
DAY 2
Today, many people were still reporting login errors and computers
automatically shutting down.  It is going to take a lot of time going to
each computer to apply patches manually.
 
Email Problem rears its head
Today we started getting reports that users could not connect to the
Exchange server using Outlook.  Two scenarios were being reported, when
attempting to open Outlook, program would hang, no login OR login would
appear, user would log in, and then get a message reporting that the
Exchange server could not be reached.   This was happening on computers
that had been infected but then cleaned and patched.
 
The strange thing is that we have other workstations on campus that had
been infected, cleaned and patched, and they could log in to their
Exchange email.
 
Does anyone have any initial thoughts on what might be going on and how
we should attack this problem.  At this point we are just going to
continue cleaning and patching workstations but are stumped with the
Exchange problem.
 
I am also frustrated as to why our Symantec antivirus did not detect
these worms since they are not new.  All of our desktops are up to date
with definitions, but people are still reporting virus problems
associated with SASSER, we think.  The symptoms look like its SASSER but
also a little like the LOVESAN virus.  But again, we are not getting
alerts on these computers from Symantec.
 
Thanks for any help or advice you may have.
 
Monte Schmeiser
Institutional Technology
Marymount College
mschmeiser () marymountpv edu