Re: WINDOWS SERVER 2003

November 3, 2008

Crossposted to the microsoft.public.security.virus

--

Peter

Please Reply to Newsgroup for the benefit of others

Requests for assistance by email can not and will not be acknowledged.

"LauraW." <LauraW..3ia4zc@DoNotSpam.com> wrote in message news:LauraW..3ia4zc@DoNotSpam.com...

>

> I have a customer who's server I manage that is also having this issue.

> OS is 2003 R2 Enterprise Ed., SP2. After deep investigation, we found

> that the Sasser worm or it's variants seem to be at the heart of this

> matter, however I am unable to find any of the tell-tale .exe files (and

> there are several) or registry entries. We have not installed the

> Microsoft patch (the customer has not given their consent even after

> letting them know this is will help). Much like the other posters, the

> reboots are random with no pattern. I just had one happen about 2 hours

> ago for the first time in a few weeks.

>

> They are running ESET NOD32 Antivirus and are firewalled via an

> appliance (not software). We see events in both the Application AND

> System Event Viewer Logs. The following are snippets of the logs

> entries:

>

> _From_System_Logs:_

>

> Event Type: Error

> Event Source: LsaSrv

> Event Category: Security Package Manager

> Event ID: 5000

> Date: 11/2/2008

> Time: 7:16:47 PM

> User: N/A

> Computer: XXXXXXXXX

> Description: The security package Microsoft Unified Security Protocol

> Provider generated an exception. The exception information is the

> data.

>

> Event Type: Information

> Event Source: USER32

> Event Category: None

> Event ID: 1074

> Date: 11/2/2008

> Time: 7:17:22 PM

> User: NT AUTHORITYSYSTEM

> Computer: XXXXXXXXXX

> Description: The process winlogon.exe has initiated the restart of

> computer XXXXXXXXX on behalf of user for the following reason: No title

> for this reason could be found

> Reason Code: 0x50006

> Shutdown Type: restart

> Comment: The system process 'C:WINNTsystem32lsass.exe' terminated

> unexpectedly with status code -1073741819. The system will now shut

> down and restart.

>

> _Application_Logs:_

>

> Event Type: Error

> Event Source: Application Error

> Event Category: (100)

> Event ID: 1000

> Date: 11/2/2008

> Time: 7:16:50 PM

> User: N/A

> Computer: XXXXXXXXX

> Description: Faulting application lsass.exe, version 5.2.3790.0,

> faulting module crypt32.dll, version 5.131.3790.3959, fault address

> 0x0001ec50.

>

> Event Type: Error

> Event Source: Winlogon

> Event Category: None

> Event ID: 1015

> Date: 11/2/2008

> Time: 7:17:21 PM

> User: N/A

> Computer: XXXXXXXXXX

> Description: A critical system process, C:WINNTsystem32lsass.exe,

> failed with status code c0000005. The machine must now be restarted.

>

> I am starting to wonder if this is a new variant? Last variant was in

> 2007, but like I said previously, I find none of the tell tale .exe

> files or the registry entries which makes me wonder. Anyone have any

> more info or any similar instances?

>

> Also for those who want to dig, I found this link helpful in checking

> the server, so it might help others who aren't in the same situation as

> myself:

>

> http://ask-leo.com/what_are_lsass_lsassexe...do_if_i_am.html

>

> --

> LauraW.

> ------------------------------------------------------------------------

> LauraW.'s Profile: http://forums.techarena.in/members/lauraw-.htm

> View this thread: http://forums.techarena.in/windows-server-help/336315.htm

>

> http://forums.techarena.in

>

November 3, 2008

From: "Peter Foldes" <okf22@hotmail.com>

| Crossposted to the microsoft.public.security.virus

| --

| Peter

| Please Reply to Newsgroup for the benefit of others

| Requests for assistance by email can not and will not be acknowledged.

| "LauraW." <LauraW..3ia4zc@DoNotSpam.com> wrote in message

| news:LauraW..3ia4zc@DoNotSpam.com...

>> I have a customer who's server I manage that is also having this issue.

>> OS is 2003 R2 Enterprise Ed., SP2. After deep investigation, we found

>> that the Sasser worm or it's variants seem to be at the heart of this

>> matter, however I am unable to find any of the tell-tale .exe files (and

>> there are several) or registry entries. We have not installed the

>> Microsoft patch (the customer has not given their consent even after

>> letting them know this is will help). Much like the other posters, the

>> reboots are random with no pattern. I just had one happen about 2 hours

>> ago for the first time in a few weeks.

>> They are running ESET NOD32 Antivirus and are firewalled via an

>> appliance (not software). We see events in both the Application AND

>> System Event Viewer Logs. The following are snippets of the logs

>> entries:

>> _From_System_Logs:_

>> Event Type: Error

>> Event Source: LsaSrv

>> Event Category: Security Package Manager

>> Event ID: 5000

>> Date: 11/2/2008

>> Time: 7:16:47 PM

>> User: N/A

>> Computer: XXXXXXXXX

>> Description: The security package Microsoft Unified Security Protocol

>> Provider generated an exception. The exception information is the

>> data.

>> Event Type: Information

>> Event Source: USER32

>> Event Category: None

>> Event ID: 1074

>> Date: 11/2/2008

>> Time: 7:17:22 PM

>> User: NT AUTHORITYSYSTEM

>> Computer: XXXXXXXXXX

>> Description: The process winlogon.exe has initiated the restart of

>> computer XXXXXXXXX on behalf of user for the following reason: No title

>> for this reason could be found

>> Reason Code: 0x50006

>> Shutdown Type: restart

>> Comment: The system process 'C:WINNTsystem32lsass.exe' terminated

>> unexpectedly with status code -1073741819. The system will now shut

>> down and restart.

>> _Application_Logs:_

>> Event Type: Error

>> Event Source: Application Error

>> Event Category: (100)

>> Event ID: 1000

>> Date: 11/2/2008

>> Time: 7:16:50 PM

>> User: N/A

>> Computer: XXXXXXXXX

>> Description: Faulting application lsass.exe, version 5.2.3790.0,

>> faulting module crypt32.dll, version 5.131.3790.3959, fault address

>> 0x0001ec50.

>> Event Type: Error

>> Event Source: Winlogon

>> Event Category: None

>> Event ID: 1015

>> Date: 11/2/2008

>> Time: 7:17:21 PM

>> User: N/A

>> Computer: XXXXXXXXXX

>> Description: A critical system process, C:WINNTsystem32lsass.exe,

>> failed with status code c0000005. The machine must now be restarted.

>> I am starting to wonder if this is a new variant? Last variant was in

>> 2007, but like I said previously, I find none of the tell tale .exe

>> files or the registry entries which makes me wonder. Anyone have any

>> more info or any similar instances?

>> Also for those who want to dig, I found this link helpful in checking

>> the server, so it might help others who aren't in the same situation as

>> myself:

>> http://ask-leo.com/what_are_lsass_lsassexe...if_im_infected_

>> what_do_i_do_if_i_am.html

>> --

>> LauraW.

>> ------------------------------------------------------------------------

>> LauraW.'s Profile: http://forums.techarena.in/members/lauraw-.htm

>> View this thread: http://forums.techarena.in/windows-server-help/336315.htm

>> http://forums.techarena.in

I don't know where this came from BUT...

It is not the Sasser Worm.

If this is a new post that was placed here, chances are it is the new worm/bot exploiting

MS08-067 which will exploit TCP port 445 just like the Sasser worm did.

http://isc.sans.org/diary.html?storyid=5275

http://www.us-cert.gov/current/index.html#...rosoft_ms08_067

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Sign In

Re: WINDOWS SERVER 2003

Recommended Posts

Guest Peter Foldes

Popular Days

Popular Days

Guest David H. Lipman

Join the conversation

Browse

Activity

Support