Solved

LSAS.EXe

Posted on 2004-08-31
7
232 Views
Last Modified: 2011-08-18
I have been battling a virus on my network  for since last Friday.  My virus software (Trend) finds the virus, but is misdiagnosing it.  It says it is Dos_Agobot.GEN which affects the hosts file.  It is fixing that problem, but at each re-occurrence also drops lsas.exe in the system32 folder (and sometimes others)  sets it to run in the registry in
local machine\software\microsoft\windows\currentversion\\run
and
local machine\software\microsoft\windows\currentversion\runservice

We are booting into safe mode and deleting the files and the registry entries.  It eventually comes back.

This is affecting Windows 2000 and some or ouor XP machines.  None of our NT workstations have been affected.

We thought we were done with it as it had been gone since late yesterday, but reappeared with a vengeance this afternoon.

HELP!!!
0
Comment
Question by:rcutts
7 Comments
 
LVL 3

Accepted Solution

by:
slappa1 earned 168 total points
Comment Utility
make sure you patch the pc's before reconnecting them

The worm uses multiple vulnerabilities to spread, including:
The DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026), using TCP port 135
The RPC locator vulnerability (described in Microsoft Security Bulletin MS03-001), using TCP port 445

use mcafee's stinger to remove the infections, don't reconnect any infected pc's to the network after you clean them, untill you have cleaned all the pc's and the server.
0
 
LVL 2

Assisted Solution

by:rtptucks
rtptucks earned 166 total points
Comment Utility
A good tool for popular virus removal which i recommend is the Stinger file which is available from www.nai.com
run this program which detects and cleans most popular virus around

the file is available directly from here : -
http://download.nai.com/products/mcafee-avert/stinger.exe

the file only weighs in at a mere 800k so its not going to be a long download.. I am a network administrator and i find this always coming in use on my USB pen :)

Hope this helps.
0
 
LVL 5

Assisted Solution

by:Hammadian2
Hammadian2 earned 166 total points
Comment Utility
You need to do 2 things:

1. Clean your system
2. Update your system so that these trojans do not get into it again

For the 1st thing you need to download a cleanning utility
I recommened Pest Patrol, you can get an evaluation copy from:
http://www.pestpatrol.com/Products/PestPatrolHE/Single_User_Evaluation.asp

For the 2nd thing (and it's really important)
goto:
http://windowsupdate.microsoft.com

Then re-scan again and everything should be ok
0
 
LVL 14

Expert Comment

by:JohnnyCanuck
Comment Utility
The most important part of the above advice is to disconnect all computers from the network until they are clean.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now