?
Solved

LSAS.EXe

Posted on 2004-08-31
7
Medium Priority
?
246 Views
Last Modified: 2011-08-18
I have been battling a virus on my network  for since last Friday.  My virus software (Trend) finds the virus, but is misdiagnosing it.  It says it is Dos_Agobot.GEN which affects the hosts file.  It is fixing that problem, but at each re-occurrence also drops lsas.exe in the system32 folder (and sometimes others)  sets it to run in the registry in
local machine\software\microsoft\windows\currentversion\\run
and
local machine\software\microsoft\windows\currentversion\runservice

We are booting into safe mode and deleting the files and the registry entries.  It eventually comes back.

This is affecting Windows 2000 and some or ouor XP machines.  None of our NT workstations have been affected.

We thought we were done with it as it had been gone since late yesterday, but reappeared with a vengeance this afternoon.

HELP!!!
0
Comment
Question by:rcutts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 3

Accepted Solution

by:
slappa1 earned 672 total points
ID: 11948545
make sure you patch the pc's before reconnecting them

The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445

use mcafee's stinger to remove the infections, don't reconnect any infected pc's to the network after you clean them, untill you have cleaned all the pc's and the server.
0
 
LVL 2

Assisted Solution

by:rtptucks
rtptucks earned 664 total points
ID: 11949594
A good tool for popular virus removal which i recommend is the Stinger file which is available from www.nai.com 
run this program which detects and cleans most popular virus around

the file is available directly from here : -
http://download.nai.com/products/mcafee-avert/stinger.exe

the file only weighs in at a mere 800k so its not going to be a long download.. I am a network administrator and i find this always coming in use on my USB pen :)

Hope this helps.
0
 
LVL 5

Assisted Solution

by:Hammadian2
Hammadian2 earned 664 total points
ID: 11949839
You need to do 2 things:

1. Clean your system
2. Update your system so that these trojans do not get into it again

For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp

For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com

Then re-scan again and everything should be ok
0
 
LVL 14

Expert Comment

by:JohnnyCanuck
ID: 11951344
The most important part of the above advice is to disconnect all computers from the network until they are clean.
0

Featured Post

Get MongoDB database support online, now!

At Percona’s web store you can order your MongoDB database support needs in minutes. No hassles, no fuss, just pick and click. Pay online with a credit card. Handle your MongoDB database support now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question