Strange Sasser symptoms ...

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi All,

No I have NOT lost the plot this time - all facts below are accurate and verified

Was upgrading the RAM in my bro's PC today (XP Pro SP2). I set this PC up from clean install 2 weeks ago, with AVG7 updating whenever he used it. Windows Firewall on by default, so it was secured before it even hit the internet.

So I go in today, do the work and fire it up - all's going great. We're surfing around the web when next thing, up comes the infamous "NT Authority blah, blah.../lsass.exe. Your sytem will shutdown in 60 seconds", which it promptly did.

So the question Guys is WTF ??? SP2 is installed, and all security is up to date. It's simply NOT POSSIBLE for the PC to get hit by Sasser ! Full AVG, Stinger and Removal Tool scans show nothing. I even attempted to run the Sasser patch that MS brought out before SP2, and it said "You do not require this patch - your Service Packs are up to date"

Oh please, someone shed some light on this....

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I have read somewhere that the lsass patch doesn't always work. Althought doubtful, you might want to verify that the patch did indeed work.

Just gonna have a look and see what i can come up with, but i thought that would do for starters

HTH

Andy

 

I was reading on Symantec's site about how Sasser operates, and it writes a specific key into the registry. But when I checked the key,it wasn't there.

It's like a phantom infection - too weird

 

Hmmmm, I take it the machine does this "regularly", ie not just the one time?

I had a quick google, and couldn't really find anything of use. The only thing poeple said about it is try a packet sniffer/tracer, but I doubt that anyone has got in, brand new machine, F/Walled and patched. Much easier targets out there.

Andy

 

Did it several times during the 2-3 hours I was there today, Andy. As I left, all seemed well, but that's not to say it wont kick in again.

And as I said at the start - I've NOT lost it this time !!!

 

Hi i had exactly the same thing happen on a pc the other day when i downloaded a crack, pc had no protection. I loaded adaware, spybot and microsfot new one however everytime i run these windows crashed, i also run the different patches for the Sasser virus but this was never found.

To get around the problem

i went to control panal
Administrative Tools
Services
Remote Procedue call (RPC)
i then wen tinto recovery
first failure restart service also for 2nd and 3rd.

This then allowed me to run adaware etc, all the stuff this could not delete it gives you the registry keys so i delete them all, most were in the same folders so it deleted them all in one go.

Hope this helps.

 

That sounds more like the Blaster worm though Millwall - that fix doesn't work for Sasser (unless I'm mistaken ). But I'll have a look next time I'm at my bro's just to be sure.

Cheers m8

 

Yeah it was a weird one as i downloaded all the patches of Symantec and they all scanned and said i never had. However the other stuff and deleting a few regedit things did.

 

Fair do's m8 - will give that a try then

If only I could convince my bro that letting me RDP his PC from here is a piece of p*** . Otherwise, he'll have to wait till next weekend !!!

 

Yeah but then you may steal all his porn links

 

Gav, just for giggles, have to tried downloading and running the latest version of Stinger from McAfee? Here's the link:

http://vil.nai.com/vil/stinger/

Also, not to pry...but have you asked your brother where he's been surfing lately? Yes I know, with this critter, you can get it anywhere, but you never know.

 

Stinger has been run, and I quizzed the family about recent websites visited. I would never doubt their integrity for a second, regarding pr0n.

Even if it was a dodgy site issue - how would Sasser get through SP2 and AVG ?

 

Beats me.