Re: New Virus released, can anyone help identify it?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 09/29/04 

Date: Wed, 29 Sep 2004 06:46:59 GMT

Here is some more info on your problem as reported by Trend Micro by
searching their site for lsess.exe. --- Steve

http://www.trendmicro.com/search/google/en-us/results.asp?lr=lang_en-us&q=LSESS.EXE

WORM_SDBOT.CU - Description and solution
... It drops a copy of itself as the file LSESS.EXE in the Windows system
folder. This malware runs on Windows 95, 98, ME, NT, 2000, and XP. ...
www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.CU... -
49k

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:Ffr6d.274838$mD.133155@attbi_s02...
> If your virus scanner does not pick it up with the latest definitions try
> a second opinion and contact your antivirus vendor with the information
> you supplied here to see what they recommend. Trend Micro has a free and
> compact Sysclean download for malware detection and removla and pattern
> file that you need to download to a common folder to execute from. Also
> scan with something like AdAware or Pest Patrol. Pest Patrol is pretty
> good and targets Trojans and parasites. They have a free download but I
> think it will only detect and not remove. Also try some of the free tools
> from SysInternals - TCPView, Process Explorer, and Autoruns to help
> identify what is happening by mapping port use to processes, and showing
> detailed info on what applications are configured to start up
> automatically. Note that you can also use msinfo32/software
> environment/running tasks to see process to path mapping in W2K and you
> can also use it to view processes on remote computers. For computers that
> do not need to offer resources on the network it may help to enable tcp/ip
> filtering on the network adapter to block uninitiated inbound traffic. Be
> sure to disable it when you are done as it may cause network connectivity
> problems in the future. Of course XP and W2003 have the built in ICF
> firewall.--- Steve
>
> http://www.trendmicro.com/download/dcs.asp -- Sysclean
> http://www.trendmicro.com/download/pattern.asp -- pattern file current as
> of today
> http://www.pestpatrol.com/Downloads/Eval/DownloadHomeEvalNew.asp -- Pest
> Patrol
> http://www.sysinternals.com/ntw2k/source/tcpview.shtml -- TCPView
> http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windows2000/en/advanced/help/sag_TCPIP_pro_TCPIPfilter.htm
>
>
> "Craig N." <anonymous@discussions.microsoft.com> wrote in message
> news:114d01c4a5c0$d39f1aa0$a601280a@phx.gbl...
>>I am a consultant, and I have had 3 corporate netowrks,
>> plus 20 servera t my colo facility nailed with a new
>> virus. Virus sacns are not picking it up, and I have the
>> latest definitions.
>>
>> I have identified the culprit service to be LSESS.EXE, not
>> LSASS.exe, ans the sasser patch and removal tool does not
>> work. ALso, in the system32 folder, I locate the file.
>>
>> It appears as though this virus just comes right in, not
>> through e-mail or surfing. Since some of the machines
>> affected are pure gaming servers, and dont have anyone
>> accessing the net or receiving e-mail.
>>
>> Anyways, as far as effects, the first noticeable sign is
>> that once you log into 2000, you do not get a desktop, it
>> just sits with a blue screen for hours. Then the machine
>> starts rebooting constantly.
>>
>> I performed a format and reinstall of 2000, and got my
>> desktop back, but within 2 minutes, I started getting
>> svchost errors, and Windows would rebbot after 10 seconds.
>>
>> I finally did a clean 2003 install, and once again got the
>> virus, but it was attacking the RPC,causing a reboot in 10
>> seconds. I went into services, and disabled the action
>> from reboot machine to take no action for RPC.
>>
>> I have noticed that if I restrict access to the file
>> LSESS.EXE the machines apper to run fine. I have also
>> encountered multiple instances of it inthe registry.
>>
>> It looks like blaster or maybe Sasser, but not exact. It
>> also appears t be a widespread infection. I originally
>> caught it two days ago, and assumed it was blaster, but
>> then it nailed everypne today, and these are all seperate
>> corporations, and nothing on the security sites regarding
>> it.
>>
>> Anyways, anyone have any idea what it is?
>>
>>
>
>

Relevant Pages

  • Re: Ping and tracert always works but http or ftp only works a couple of mins just after reboot
    ... check any virus or spyware. ... Networking, Internet, Routing, VPN Troubleshooting on ... Just after normal reboot, ... When I reboot XP with SafeMode(Network support), ...
    (microsoft.public.windowsxp.network_web)
  • RE: Securing a Local Network
    ... How much would it cost if a virus infected one ... be if a competitor hacked into their network and was able to access all ... Third issue is virus protection. ... can infect you from numerous other sources. ...
    (Security-Basics)
  • RE: Using viruses in pen-test
    ... I wonder if there is some type of "fake" virus you could use in this case. ... David A. Swafford, Network Engineer ... I wish to know your views on "Using viruses in pen-test"I ... Cenzic Hailstorm finds vulnerabilities fast. ...
    (Pen-Test)
  • Re: If you used to use Windows or now used Windows less because of FreeBSD why?
    ... > but I've never had any virus or other malware on it. ... > network. ... then build a recommended s/w suite on that. ... toaster, not very expensive crap computers made to be less useful than ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Lost access to home network
    ... virus scans on the CDs ... then beginning again with a fresh install. ... I have 3 computers on a network. ... Then post the logs to an appropriate forum where they specialize in ...
    (microsoft.public.windowsxp.general)