What Virus is this? It kills the Lsass.exe makeing the system reboot.

Discussion in 'NOD32 version 2 Forum' started by tempnexus, May 1, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    It kills lsass.exe anyhow it makes the system reboot, it tells me that the system will restart in 60seconds.

    The system has NOD32 Retail running with Deep heuritics and defs of 1.746 (May 1st 2nd defs 2004). and it got infected. Don't know what it is, right now am scanning the system in Safemode and will later post the results.

    What can it be?

    Kind of dissapointed with NOD but what can I say.

    From the writeup of other AV companies it seems to be SASSER...but I thought NOD32 has it in their devs...it seems that it got infected even with NOD32 installed with SASSER defs..since the system will reboot very soon after infection and the system updated at noon and just now decided to reboot. Myabe it's the variant B oh well when scan it done I will post it.
     
    Last edited: May 1, 2004
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  3. norky

    norky Guest

    i'm concerned that nod32 let this slip through if it's indeed sasser.

    let us know what your scans turn up.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi tempnexus

    Is your system OS up to date with the latest patches?
    Are you running a firewall?

    Regards,

    CrazyM
     
  5. norky

    norky Guest

    whether he is or not, nod should have caught it.
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    The system tempnexus is discussing would appear to have been vulnerable by being unpatched and not firewalled. Whether it was actually infected by sasser or the worms attempts at exploiting the vulnerability are just causing the reboot problems with lsass.exe remains to be determined.

    Worms like this can cause problems with unprotected systems before any infection actually occurs.

    Regards,

    CrazyM
     
  7. norky

    norky Registered Member

    Joined:
    May 1, 2004
    Posts:
    172
    Location:
    Lithia, FL
    of course, you're right. :)
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi norky

    Nice to see you have joined us here at Wilders. Welcome aboard :)

    Regards,

    CrazyM
     
  9. norky

    norky Registered Member

    Joined:
    May 1, 2004
    Posts:
    172
    Location:
    Lithia, FL
    thanks! i've been lurking for awhile and decided to take the plunge.
     
  10. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Yeah is Sasser.A, still try to figure out how the F did it infect the system even when the NOd32 was updated?
    Sygate Firewall was running on their system so that is still puzzling like hell.
    Just did some patches so now it should be immune but yeah it's weird that NOD32 didn't protect it and neither did SYGATE?

    weird.
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Have you confirmed the system was infected? Any of the trace files left behind?

    Check if they have any rules in Sygate for svchost.exe or any other services that use the vulnerable ports. I believe the default application rules for Sygate still allow inbound traffic (server rights) which could explain this. If there is, you will have to modify each rule to not allow inbound (act as a server).

    Regards,

    CrazyM
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    From Sans Internet Storm Center

    http://isc.incidents.org/diary.php?date=2004-05-01&isc=104f4cc9d4c81f232c647d00a93038c6

    "MS04-011 LSASRV Exploit
    We received reports late last night from David Tulo reporting suspicious traffic. After much analysis by many handlers and help from him with captures and what he was seeing, we were able to match the traffic with a published exploit against the LSASRV vulnerability in MS04-011. For more information http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx We also observed and captured the same traffic to two other locations. The exploit is very similar to Sasser and may mislead folks in what they are seeing. The destinations port observed was 445. However, this exploit lacks the FTP attempts and the communication on ports 5554 and 9996. Also there are no files dropped on the system. It appears to determine the OS type and then attempt to shovel a shell back to a specific IP address. If it fails the LSASS crashes and the system is rebooted.

    The possiblity exists for this to be turned into a worm. No sign of this yet.

    It is important to make sure your systems are patched and that you block traffic on port 445 if possible."


    Another possibility of what this system may have experienced.

    Regards,

    CrazyM
     
  13. Vanessa

    Vanessa Guest

    I've been having the same problem since yesterday... and I found a Better Internet virus bi.dll in Windows.
     
  14. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Did Nod32 give any warning at all?
     
  15. i need tu get this f-ing thing off mai comp...its pissing me off...i gotta shut down mai system every 10 minuets
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Last edited: May 3, 2004
  17. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    Once you get the
    "LSASS.exe termination the system will restart in 59 sec" go to STart>RUN type in "CMD" and once the command windows pops up do:

    shutdown -a

    this will abort the shutdown sequence allowing you ample time to update and remove the infection. (USE THE PATCH LUKE USE THE PATCH)
     
  18. Browners07

    Browners07 Registered Member

    Joined:
    May 4, 2004
    Posts:
    1
    how the mush do i get rid of this poxy lsass ****, where can i get a patch?
     
  19. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
  20. Habiru

    Habiru Registered Member

    Joined:
    May 4, 2004
    Posts:
    43
    Location:
    Fredericton

    Another view

    Sasser virus' use a buffer overflow in lsass. Machines infected by this viruses try to infect others computer's by connecting to port 445 and sending some packets. This "malformed" packets overflow the stack of a funcion in lsasrv.dll, and allow to bind a shell in port 9996 (by this way, the worm is able to download the worm to the infected machin, via ftp). This exploit works well in WXP (SP?), W2K(SP2,SP3 and SP4), but if the system is W2K withou SP or SP1, the lsass crash and the machine reboot after 60 seconds. If this happen, the machine is not infected, and you will not find any evidence file of the virus.

    I think that is the problem.

    Ismael Briones
    Panda Software
    www.pandasoftware.com
     
Thread Status:
Not open for further replies.