Strange Sasser symptoms ...

Discussion in 'Computer Security' started by Jakamoko, Feb 12, 2005.

  1. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,924
    74
    229
    Hi All,

    No I have NOT lost the plot this time - all facts below are accurate and verified [​IMG]

    Was upgrading the RAM in my bro's PC today (XP Pro SP2). I set this PC up from clean install 2 weeks ago, with AVG7 updating whenever he used it. Windows Firewall on by default, so it was secured before it even hit the internet.

    So I go in today, do the work and fire it up - all's going great. We're surfing around the web when next thing, up comes the infamous "NT Authority blah, blah.../lsass.exe. Your sytem will shutdown in 60 seconds", which it promptly did.

    So the question Guys is WTF ??? [​IMG] SP2 is installed, and all security is up to date. It's simply NOT POSSIBLE for the PC to get hit by Sasser ! Full AVG, Stinger and Removal Tool scans show nothing. I even attempted to run the Sasser patch that MS brought out before SP2, and it said "You do not require this patch - your Service Packs are up to date"

    Oh please, someone shed some light on this.... [​IMG]
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  2. punkboy101
    Honorary Member

    punkboy101 Back from the wilderness

    942
    2
    62
    I have read somewhere that the lsass patch doesn't always work. Althought doubtful, you might want to verify that the patch did indeed work.

    Just gonna have a look and see what i can come up with, but i thought that would do for starters [​IMG]

    HTH

    Andy
     
    Certifications: CCNA
    WIP: Nada
  3. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,924
    74
    229
    I was reading on Symantec's site about how Sasser operates, and it writes a specific key into the registry. But when I checked the key,it wasn't there.

    It's like a phantom infection - too weird [​IMG]
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  4. punkboy101
    Honorary Member

    punkboy101 Back from the wilderness

    942
    2
    62
    Hmmmm, I take it the machine does this "regularly", ie not just the one time?

    I had a quick google, and couldn't really find anything of use. The only thing poeple said about it is try a packet sniffer/tracer, but I doubt that anyone has got in, brand new machine, F/Walled and patched. Much easier targets out there.

    Andy
     
    Certifications: CCNA
    WIP: Nada
  5. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,924
    74
    229
    Did it several times during the 2-3 hours I was there today, Andy. As I left, all seemed well, but that's not to say it wont kick in again.

    And as I said at the start - I've NOT lost it this time !!! [​IMG]
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  6. MILLWALLFC

    MILLWALLFC Bit Poster

    31
    0
    2
    Hi i had exactly the same thing happen on a pc the other day when i downloaded a crack, pc had no protection. I loaded adaware, spybot and microsfot new one however everytime i run these windows crashed, i also run the different patches for the Sasser virus but this was never found.

    To get around the problem

    i went to control panal
    Administrative Tools
    Services
    Remote Procedue call (RPC)
    i then wen tinto recovery
    first failure restart service also for 2nd and 3rd.

    This then allowed me to run adaware etc, all the stuff this could not delete it gives you the registry keys so i delete them all, most were in the same folders so it deleted them all in one go.

    Hope this helps.
     
  7. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,924
    74
    229
    That sounds more like the Blaster worm though Millwall - that fix doesn't work for Sasser (unless I'm mistaken [​IMG]). But I'll have a look next time I'm at my bro's just to be sure.

    Cheers m8 :D
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  8. MILLWALLFC

    MILLWALLFC Bit Poster

    31
    0
    2
    Yeah it was a weird one as i downloaded all the patches of Symantec and they all scanned and said i never had. However the other stuff and deleting a few regedit things did.
     
  9. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,924
    74
    229
    Fair do's m8 - will give that a try then :thumbleft

    If only I could convince my bro that letting me RDP his PC from here is a piece of p*** [​IMG]. Otherwise, he'll have to wait till next weekend !!!
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  10. MILLWALLFC

    MILLWALLFC Bit Poster

    31
    0
    2
    Yeah but then you may steal all his porn links :D
     
  11. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Gav, just for giggles, have to tried downloading and running the latest version of Stinger from McAfee? Here's the link:

    http://vil.nai.com/vil/stinger/

    Also, not to pry...but have you asked your brother where he's been surfing lately? Yes I know, with this critter, you can get it anywhere, but you never know.
     
    Certifications: A+ and Network+
  12. Jakamoko
    Honorary Member

    Jakamoko On the move again ...

    9,924
    74
    229
    Stinger has been run, and I quizzed the family about recent websites visited. I would never doubt their integrity for a second, regarding pr0n.

    Even if it was a dodgy site issue - how would Sasser get through SP2 and AVG ?
     
    Certifications: MCP, A+, Network+
    WIP: Clarity
  13. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Beats me. :blink
     
    Certifications: A+ and Network+

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.