What Virus is this? It kills the Lsass.exe makeing the system reboot.

It kills lsass.exe anyhow it makes the system reboot, it tells me that the system will restart in 60seconds.

The system has NOD32 Retail running with Deep heuritics and defs of 1.746 (May 1st 2nd defs 2004). and it got infected. Don't know what it is, right now am scanning the system in Safemode and will later post the results.

What can it be?

Kind of dissapointed with NOD but what can I say.

From the writeup of other AV companies it seems to be SASSER...but I thought NOD32 has it in their devs...it seems that it got infected even with NOD32 installed with SASSER defs..since the system will reboot very soon after infection and the system updated at noon and just now decided to reboot. Myabe it's the variant B oh well when scan it done I will post it.

 

It will be the new sasser worm.

https://www.wilderssecurity.com/showthread.php?t=30247
https://www.wilderssecurity.com/showthread.php?t=30228
https://www.wilderssecurity.com/showthread.php?t=30197

Regards,

CrazyM

 

i'm concerned that nod32 let this slip through if it's indeed sasser.

let us know what your scans turn up.

 

Hi tempnexus

Is your system OS up to date with the latest patches?
Are you running a firewall?

Regards,

CrazyM

 

whether he is or not, nod should have caught it.

 

The system tempnexus is discussing would appear to have been vulnerable by being unpatched and not firewalled. Whether it was actually infected by sasser or the worms attempts at exploiting the vulnerability are just causing the reboot problems with lsass.exe remains to be determined.

Worms like this can cause problems with unprotected systems before any infection actually occurs.

Regards,

CrazyM

 

of course, you're right.

 

Hi norky

Nice to see you have joined us here at Wilders. Welcome aboard

Regards,

CrazyM

 

thanks! i've been lurking for awhile and decided to take the plunge.

 

Yeah is Sasser.A, still try to figure out how the F did it infect the system even when the NOd32 was updated?
Sygate Firewall was running on their system so that is still puzzling like hell.
Just did some patches so now it should be immune but yeah it's weird that NOD32 didn't protect it and neither did SYGATE?

weird.

 

Have you confirmed the system was infected? Any of the trace files left behind?

Check if they have any rules in Sygate for svchost.exe or any other services that use the vulnerable ports. I believe the default application rules for Sygate still allow inbound traffic (server rights) which could explain this. If there is, you will have to modify each rule to not allow inbound (act as a server).

Regards,

CrazyM

 

From Sans Internet Storm Center

http://isc.incidents.org/diary.php?date=2004-05-01&isc=104f4cc9d4c81f232c647d00a93038c6

"MS04-011 LSASRV Exploit
We received reports late last night from David Tulo reporting suspicious traffic. After much analysis by many handlers and help from him with captures and what he was seeing, we were able to match the traffic with a published exploit against the LSASRV vulnerability in MS04-011. For more information http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx We also observed and captured the same traffic to two other locations. The exploit is very similar to Sasser and may mislead folks in what they are seeing. The destinations port observed was 445. However, this exploit lacks the FTP attempts and the communication on ports 5554 and 9996. Also there are no files dropped on the system. It appears to determine the OS type and then attempt to shovel a shell back to a specific IP address. If it fails the LSASS crashes and the system is rebooted.

The possiblity exists for this to be turned into a worm. No sign of this yet.

It is important to make sure your systems are patched and that you block traffic on port 445 if possible."

Another possibility of what this system may have experienced.

Regards,

CrazyM

 

I've been having the same problem since yesterday... and I found a Better Internet virus bi.dll in Windows.

 

Did Nod32 give any warning at all?

 

i need tu get this f-ing thing off mai comp...its pissing me off...i gotta shut down mai system every 10 minuets

 

Once you get the
"LSASS.exe termination the system will restart in 59 sec" go to STart>RUN type in "CMD" and once the command windows pops up do:

shutdown -a

this will abort the shutdown sequence allowing you ample time to update and remove the infection. (USE THE PATCH LUKE USE THE PATCH)

 

how the mush do i get rid of this poxy lsass ****, where can i get a patch?

 

http://www.microsoft.com/security/incident/sasser.asp

 

Another view

Sasser virus' use a buffer overflow in lsass. Machines infected by this viruses try to infect others computer's by connecting to port 445 and sending some packets. This "malformed" packets overflow the stack of a funcion in lsasrv.dll, and allow to bind a shell in port 9996 (by this way, the worm is able to download the worm to the infected machin, via ftp). This exploit works well in WXP (SP?), W2K(SP2,SP3 and SP4), but if the system is W2K withou SP or SP1, the lsass crash and the machine reboot after 60 seconds. If this happen, the machine is not infected, and you will not find any evidence file of the virus.

I think that is the problem.

Ismael Briones
Panda Software
www.pandasoftware.com