Lsass.exe causing shutdown in IE.

Ejay_Hire1 · May 1, 2004, 8:09pm

Hi all.

We're starting to take calls from users about an LSASS.EXE error causing
XP to do the 60 seconds till forced reboot, and the normal blaster
mitigation and turning on the ICF isn't fixing it. I've been able to
reproduce it on one machine locally. Is anyone else seeing it?

-Ejay

Christopher_J_Wolff · May 1, 2004, 8:17pm

Ejay, I've seen this for about 36 hours but I haven't been involved in the
resolution process. Let me know what you find.

Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com

Henry_Yen · May 1, 2004, 8:18pm

Sasser (windows) worm.

http://isc.sans.org/diary.php?date=2004-04-30

Todd_Mitchell · May 1, 2004, 8:24pm

Behalf Of Ejay Hire
Sent: May 1, 2004 4:09 PM

We're starting to take calls from users about an LSASS.EXE
error causing
XP to do the 60 seconds till forced reboot, and the normal blaster
mitigation and turning on the ICF isn't fixing it. I've been able to
reproduce it on one machine locally. Is anyone else seeing it?

This may be of interest to you:

http://xforce.iss.net/xforce/alerts/id/172

Todd

Jeff_Workman · May 1, 2004, 9:05pm

This affects Win2k too. I had to deal with it earlier today. It was my experience that after the machine rebooted a few times it would stay up and allow you to remove the offending files and processes, and apply the appropriate patches.

What I like about this worm is that it's extremely easy to identify hosts on your network that are infected. Just run an nmap scan of your network and look for hosts with TCP port 5554 open.

-J

Henry_Linneweh · May 1, 2004, 9:58pm

W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html

Microsoft Windows LSASS Buffer Overrun Vulnerability
http://www.symantec.com/avcenter/security/Content/10108.html

Latest virus threats

W32.Misodene@mm
Backdoor.Sdbot.Z
W32.Gaobot.AFW
W32.Gaobot.AFJ
W32.Gaobot.AFC

-Henry

william_at_elan.net · May 2, 2004, 2:53am

Yes, for last couple days I'm getting constant nagios reports about some
windows servers getting rebooted all the time (these are all win2000 but
obviously it has same kernel as xp and viruses and exploits are all same)
I could not find any good way to actually shut this all down on firewall
level and forced to go through each rebooting computer and make sure all
the latest windows updates are installed and disabling or renaming "scripts"
iis cgi directory, etc. I've notited these problems on Friday morning but
possibly it started on Thursday.