?
Solved

PC shuts down when connected to internet...

Posted on 2004-05-01
6
Medium Priority
?
1,233 Views
Last Modified: 2013-12-04
Dear Experts

since today, 5/1/04, my PC (Win 2K SP4 1st partition/ WinXP SP1 on 2nd partition) restarts automatically after a random period of time when connected to internet.
I always connect to internet with my Win2K system only! I DON'T HAVE Blaster Worm, the symantec Blaster scanner returns no infections, The Microsoft KB Patch is installed, my NaV is running with latest virus definition from 04/30/04.

The message coming up informs me that there are 60 seconds left until shutdown and that  system32\LSASS.EXE was exited unexpected with statss code 128. What is this???

thanx
0
Comment
Question by:MPKR
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
6 Comments
 
LVL 11

Accepted Solution

by:
ghana earned 400 total points
ID: 10968173
Your computer was hit by a new self executing worm:
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?ID=39012
http://vil.nai.com/vil/content/v_125007.htm
http://www.sophos.com/virusinfo/analyses/w32sassera.html
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.A

You need another patch to be protected against this worm. Go immediately to http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx and download and install the corresponding patch on your computer.

Then you should check your computer and delete the files mentioned in the virus descriptions. Finally run a port scanner against your own machine to make sure that it isn't listening on TCP port 9996.
0
 
LVL 11

Expert Comment

by:ghana
ID: 10968206
I saw that McAfee has added Sasser.A into its removal tool Stinger. You can also use Trend Micro's Damage Cleanup Service (DSC) to remove the worm.

Stinger: http://vil.nai.com/vil/stinger
DSC: http://www.trendmicro.com/download/dcs.asp
0
 
LVL 11

Expert Comment

by:ghana
ID: 10968614
Glad I could help you. Thanks for your rating!
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
LVL 4

Author Comment

by:MPKR
ID: 10968642
I wonder why my Notton Av definitions downloadad a few minutes ago seems not to support this virus...

Thanks a lot !!!!
0
 
LVL 11

Expert Comment

by:ghana
ID: 10968684
According to
- http://securityresponse.symantec.com/avcenter/defs.added.html 
- http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
the current IntelligentUpdater and LiveUpdate definitions should be able to detect Sasser.A. But sometimes the guys who are responsible for the website are faster than the developers... It's also possible that the current definitions will support a new virus but not reliable. We should watch Symantec's definition releases in the next hours and update the definitions frequently.

It's also possible that your computer wasn't infected. To check this search for the file c:\Windows\avserve.exe. If this file is not present then your computer wasn't infected but only affected. The exploit didn't work but LSASS.EXE did crash.

To prevent similar problems in the future I would recommend to protect internet connected computers with all available MS-patches. MBSA 1.2 (Microsoft Baseline Security Analyzer) is a free application that is able to check your computer whether all necessary patches are installed or not. If not it will list all these patches. In addition there will be a link to the corresponding security bulletin where you can download the patch. Running MBSA once a week will make sure that your computer is up to date.

Link to MBSA: http://support.microsoft.com/?kbid=320454
0
 
LVL 11

Expert Comment

by:ghana
ID: 10970395
Hello again!

There's another explanation why NAV didn't detect the virus. There is a second variant (Sasser.B) in the wild that won't be detected with the previous definitions.

Sources:
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39021
http://vil.nai.com/vil/content/v_125008.htm
http://www.symantec.com/avcenter/venc/data/w32.sasser.b.worm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SASSER.B

As you can see on http://securityresponse.symantec.com/avcenter/defs.added.html Sasser.B needs new definitions.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month15 days, 8 hours left to enroll

741 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question