Sasser Again????

Discussion in 'OT Technology' started by DatacomGuy, Oct 6, 2004.

  1. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    Anyone else having a return of the sasser-like problems?

    My entire office is down, but it isn't Sasser or Lovgate...I can't figure out what virus it is...

    Anyone?
     
  2. Scoob_13

    Scoob_13 Anything is possible, but the odds are astronomica

    Joined:
    Oct 5, 2001
    Messages:
    73,787
    Likes Received:
    38
    Location:
    Fort Worth. Hooray cowgirls.
    Specific issues?
     
  3. Little Spunky $#!T

    Little Spunky $#!T :cool:

    Joined:
    Jul 16, 2001
    Messages:
    3,539
    Likes Received:
    0
    NAV doesn't tell you what virus it is?
     
  4. DAN513

    DAN513 OT Supporter

    Joined:
    Mar 10, 2003
    Messages:
    10,089
    Likes Received:
    2
    Location:
    204
    Our Watchguard is kicking Netsky's ass. Blocked something like 2500 infected emails today. It's revision B IIRC.
     
  5. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    haven't seen a blip about it on the security lists yet
     
  6. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    I haven't seen anything either. NAV Corp reports nothing, Symantec has nothing on their site... Our enterprise helpdesk is not aware of it..

    As far as specific issues - research Sasser... basically it was a worm that would throw up the LSASS.EXE "You have 60 seconds and your machine will automatically restart", Error Status 128. Basically it was a worm that exploited the LSASS service...spread through email, virtually undetectible until infected.

    If anyone sees anything, let me know. I was in the office until 8pm ish, and nothing. I will be going back in around 5am to start from scratch. As I said, I've already scanned for W32.Sasser, and W32.Lovgate, but no results for either. :wtc:

    EDIT: BTW, only infecting 98 and 2000 machines. My 1 XP Pro (mine) and 2 XP Home machines are fine, and the one 95 laptop, and one 95 print server are doing just fine.
     
  7. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    still no reports. i'll post anything i find
     
  8. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    Bump for the morning. Been here since 5am.. :wtc:

    Running McAfee AVERT Stinger right now..supposed to be better then anything symantec has for locating variants of the Sasser worm, as well as all the other popular ones from the past year or so. :x:
     
  9. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    Do you have a packet sniffer running? If so is there anything that stands out, and what are the contents? Usually Sassar and its children usually cause noticable increase of ICMP and ARP traffic.

    Also check the running services for anything that appears to be taking more CPU than it should(Excluding LSASS). We had a similar symptoms a few weeks ago and it was being passed by a 'w32.spybot.worm'. (The MAJOR difference is it infected our 2000 and XP machines only, anything previous would get a copy of the virus it just did not run)
     
  10. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    I don't right now.. I'll go download Ethereal and see what I can find.
     
  11. Rob

    Rob OT Supporter

    Joined:
    Jul 6, 2002
    Messages:
    88,614
    Likes Received:
    36
    Location:
    Atlanta, GA
    :( Sounds like quite a day Steve.

    Let us know what an ethereal dump looks like.
     
  12. Scoob_13

    Scoob_13 Anything is possible, but the odds are astronomica

    Joined:
    Oct 5, 2001
    Messages:
    73,787
    Likes Received:
    38
    Location:
    Fort Worth. Hooray cowgirls.
    That's the one I was thinking of last night - though Symantec recognized it as w32.spybot.com and it turned out to be something else that I can't remember the name of :sad2:
     
  13. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    Still nothing.. one or two machines have shown a few different worms and trojans, but nothing collectively.
     
  14. IAMwhitey

    IAMwhitey New Member

    Joined:
    Nov 8, 2001
    Messages:
    1,010
    Likes Received:
    0
    Location:
    Pittsburgh, PA
    nothing here... i work for a decent sized ISP, so usually we hear/see something
     
  15. DatacomGuy

    DatacomGuy is moving to Canada

    Joined:
    Oct 14, 2002
    Messages:
    16,546
    Likes Received:
    0
    Location:
    Tampa, FL
    Motherfucker. :mad: Still having the problem.
     

Share This Page