Solved

PC shuts down when connected to internet...

Posted on 2004-05-01
6
1,232 Views
Last Modified: 2013-12-04
Dear Experts

since today, 5/1/04, my PC (Win 2K SP4 1st partition/ WinXP SP1 on 2nd partition) restarts automatically after a random period of time when connected to internet.
I always connect to internet with my Win2K system only! I DON'T HAVE Blaster Worm, the symantec Blaster scanner returns no infections, The Microsoft KB Patch is installed, my NaV is running with latest virus definition from 04/30/04.

The message coming up informs me that there are 60 seconds left until shutdown and that  system32\LSASS.EXE was exited unexpected with statss code 128. What is this???

thanx
0
Comment
Question by:MPKR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 11

Accepted Solution

by:
ghana earned 100 total points
ID: 10968173
Your computer was hit by a new self executing worm:
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?ID=39012
http://vil.nai.com/vil/content/v_125007.htm
http://www.sophos.com/virusinfo/analyses/w32sassera.html
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A

You need another patch to be protected against this worm. Go immediately to http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx and download and install the corresponding patch on your computer.

Then you should check your computer and delete the files mentioned in the virus descriptions. Finally run a port scanner against your own machine to make sure that it isn't listening on TCP port 9996.
0
 
LVL 11

Expert Comment

by:ghana
ID: 10968206
I saw that McAfee has added Sasser.A into its removal tool Stinger. You can also use Trend Micro's Damage Cleanup Service (DSC) to remove the worm.

Stinger: http://vil.nai.com/vil/stinger
DSC: http://www.trendmicro.com/download/dcs.asp
0
 
LVL 11

Expert Comment

by:ghana
ID: 10968614
Glad I could help you. Thanks for your rating!
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 4

Author Comment

by:MPKR
ID: 10968642
I wonder why my Notton Av definitions downloadad a few minutes ago seems not to support this virus...

Thanks a lot !!!!
0
 
LVL 11

Expert Comment

by:ghana
ID: 10968684
According to
- http://securityresponse.symantec.com/avcenter/defs.added.html 
- http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
the current IntelligentUpdater and LiveUpdate definitions should be able to detect Sasser.A. But sometimes the guys who are responsible for the website are faster than the developers... It's also possible that the current definitions will support a new virus but not reliable. We should watch Symantec's definition releases in the next hours and update the definitions frequently.

It's also possible that your computer wasn't infected. To check this search for the file c:\Windows\avserve.exe. If this file is not present then your computer wasn't infected but only affected. The exploit didn't work but LSASS.EXE did crash.

To prevent similar problems in the future I would recommend to protect internet connected computers with all available MS-patches. MBSA 1.2 (Microsoft Baseline Security Analyzer) is a free application that is able to check your computer whether all necessary patches are installed or not. If not it will list all these patches. In addition there will be a link to the corresponding security bulletin where you can download the patch. Running MBSA once a week will make sure that your computer is up to date.

Link to MBSA: http://support.microsoft.com/?kbid=320454
0
 
LVL 11

Expert Comment

by:ghana
ID: 10970395
Hello again!

There's another explanation why NAV didn't detect the virus. There is a second variant (Sasser.B) in the wild that won't be detected with the previous definitions.

Sources:
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021
http://vil.nai.com/vil/content/v_125008.htm
http://www.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B

As you can see on http://securityresponse.symantec.com/avcenter/defs.added.html Sasser.B needs new definitions.
0

Featured Post

Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question