New Virus released, can anyone help identify it?

• Previous message: Steven L Umbach: "Re: Windows 2000 DHCP Server and VPN"
• Next in thread: Jeff Cochran: "Re: New Virus released, can anyone help identify it?"
• Reply: Jeff Cochran: "Re: New Virus released, can anyone help identify it?"
• Reply: Steven L Umbach: "Re: New Virus released, can anyone help identify it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 28 Sep 2004 18:08:27 -0700

I am a consultant, and I have had 3 corporate netowrks,
plus 20 servera t my colo facility nailed with a new
virus. Virus sacns are not picking it up, and I have the
latest definitions.

I have identified the culprit service to be LSESS.EXE, not
LSASS.exe, ans the sasser patch and removal tool does not
work. ALso, in the system32 folder, I locate the file.

It appears as though this virus just comes right in, not
through e-mail or surfing. Since some of the machines
affected are pure gaming servers, and dont have anyone
accessing the net or receiving e-mail.

Anyways, as far as effects, the first noticeable sign is
that once you log into 2000, you do not get a desktop, it
just sits with a blue screen for hours. Then the machine
starts rebooting constantly.

I performed a format and reinstall of 2000, and got my
desktop back, but within 2 minutes, I started getting
svchost errors, and Windows would rebbot after 10 seconds.

I finally did a clean 2003 install, and once again got the
virus, but it was attacking the RPC,causing a reboot in 10
seconds. I went into services, and disabled the action
from reboot machine to take no action for RPC.

I have noticed that if I restrict access to the file
LSESS.EXE the machines apper to run fine. I have also
encountered multiple instances of it inthe registry.

It looks like blaster or maybe Sasser, but not exact. It
also appears t be a widespread infection. I originally
caught it two days ago, and assumed it was blaster, but
then it nailed everypne today, and these are all seperate
corporations, and nothing on the security sites regarding
it.

Anyways, anyone have any idea what it is?

• Previous message: Steven L Umbach: "Re: Windows 2000 DHCP Server and VPN"
• Next in thread: Jeff Cochran: "Re: New Virus released, can anyone help identify it?"
• Reply: Jeff Cochran: "Re: New Virus released, can anyone help identify it?"
• Reply: Steven L Umbach: "Re: New Virus released, can anyone help identify it?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: New Virus released, can anyone help identify it? ... >plus 20 servera t my colo facility nailed with a new ... Virus sacns are not picking it up, ... >LSESS.EXE the machines apper to run fine. ... We have the same problem, 50 computers went down, and it looks like ... (microsoft.public.win2000.security) Re: Antispyware and Solaris ... this only works on Windows machines. ... I had a friend named Jeff who worked as a lab assistant in ... Part of Jeff's job was to ensure nobody left clutter on the hard drives ... It wasn't meant to find a virus. ... (comp.unix.solaris) Re: Virus MSNPG.exe-2147353e.pf ... >| machines are of Dell manufacture on a LAN and are loaded ... >There are anti virus News Groups specifically for this ... >You would have also found that the infector using ... >3) Disable System Restore ... (microsoft.public.windowsxp.security_admin) Re: New Virus released, can anyone help identify it? ... Virus sacns are not picking it up, ... >from reboot machine to take no action for RPC. ... >LSESS.EXE the machines apper to run fine. ... >It looks like blaster or maybe Sasser, ... (microsoft.public.win2000.security) RE: Disabling autorun for mapped network drives ... It's standard practice to disable autorun functionality for all our client ... Enable it for All Drives. ... autorun.inf's from running on protected machines. ... What happened was that the virus creates "autorun.inf" in the root of the ... (Security-Basics)