Re: New Virus released, can anyone help identify it?

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 02:13:00 GMT

First guess is it's actually malware/spyware/etc. Have you looked at
the RUN and RUNONCE keys and removed any reference? Checked the
Startup group?

Jeff

On Tue, 28 Sep 2004 18:08:27 -0700, "Craig N."
<anonymous@discussions.microsoft.com> wrote:

>I am a consultant, and I have had 3 corporate netowrks,
>plus 20 servera t my colo facility nailed with a new
>virus. Virus sacns are not picking it up, and I have the
>latest definitions.
>
>I have identified the culprit service to be LSESS.EXE, not
>LSASS.exe, ans the sasser patch and removal tool does not
>work. ALso, in the system32 folder, I locate the file.
>
>It appears as though this virus just comes right in, not
>through e-mail or surfing. Since some of the machines
>affected are pure gaming servers, and dont have anyone
>accessing the net or receiving e-mail.
>
>Anyways, as far as effects, the first noticeable sign is
>that once you log into 2000, you do not get a desktop, it
>just sits with a blue screen for hours. Then the machine
>starts rebooting constantly.
>
>I performed a format and reinstall of 2000, and got my
>desktop back, but within 2 minutes, I started getting
>svchost errors, and Windows would rebbot after 10 seconds.
>
>I finally did a clean 2003 install, and once again got the
>virus, but it was attacking the RPC,causing a reboot in 10
>seconds. I went into services, and disabled the action
>from reboot machine to take no action for RPC.
>
>I have noticed that if I restrict access to the file
>LSESS.EXE the machines apper to run fine. I have also
>encountered multiple instances of it inthe registry.
>
>It looks like blaster or maybe Sasser, but not exact. It
>also appears t be a widespread infection. I originally
>caught it two days ago, and assumed it was blaster, but
>then it nailed everypne today, and these are all seperate
>corporations, and nothing on the security sites regarding
>it.
>
>Anyways, anyone have any idea what it is?
>

Relevant Pages

  • Help! My computer keeps restarting on its own!
    ... >Well I know for a fact that it is not the Blaster Worm ... I received that virus on my other home computer ... Sometimes, after restarting at ... it.my norton didn't catch either of em.I was reboot silly ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: anything to worry about??...
    ... This isn't typical of Blaster, ... Are your Norton virus signatures up to date? ... i turned on my computer today (for the second time ... > some error..well, i reboot, and then everything works fine ...
    (microsoft.public.security)
  • Re: New Virus released, can anyone help identify it?
    ... If your virus scanner does not pick it up with the latest definitions try a ... http://www.trendmicro.com/download/pattern.asp -- pattern file current as ... > from reboot machine to take no action for RPC. ... > LSESS.EXE the machines apper to run fine. ...
    (microsoft.public.win2000.security)
  • RE: Another Low Blow From Microsoft: MBSA Failure!
    ... Not all patches require a reboot. ... > Messenger Service Vulnerability. ... We ran messenger service exploit against the machines ... After a successful reboot all 3rd party tools ...
    (Bugtraq)
  • Re: Lets try again: VBA Code stops randomly
    ... a windows update came through which rebooted the PC. ... I think the reboot is what solved the problem. ... none of the other machines have gone wrong today either.!!! ... I loaded Rob Bovey's code cleaner and tried it. ...
    (microsoft.public.excel.programming)