Sasser Like behaviour

Hello,

All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and onwards show
the sasser symptoms since 02/08/2004 (same shutdown message etc....). No
sasser or variants (bobax etc ...) found what so ever with any tool or
manually on any machine. Patching with MS04-011 and higher has helped to
remediate the problem. Since we can not locate the origin of the problem (we
don't find any worm) what might be exploiting this vunerability. Any remote
tools to exploit the vunerability? Our one and only network admin, the only
one who has access to that level is away ... no firewall logs or
networkscans available ...

Any info or pointers would be great,

Thx

Patch them all with critical updates - this is a must.

What kind of firewall, and what inbound ports are open?


workinghard@news.postalias wrote:
> Hello,
>
> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
> onwards show the sasser symptoms since 02/08/2004 (same shutdown
> message etc....). No sasser or variants (bobax etc ...) found what so
> ever with any tool or manually on any machine. Patching with MS04-011
> and higher has helped to remediate the problem. Since we can not
> locate the origin of the problem (we don't find any worm) what might
> be exploiting this vunerability. Any remote tools to exploit the
> vunerability? Our one and only network admin, the only one who has
> access to that level is away ... no firewall logs or networkscans
> available ...
>
> Any info or pointers would be great,
>
> Thx

Hello,

They have all been patched. I straightend that out straight away. That made
the issue go away, nut there must be something causing it. I have no control
over the fire wall. Admin is notavailable. It's checkpoint. As far as I
know if the session is initiated from the client it will pass any
communication. I tend to believe that we have somwhere an internal machine
(or external machine that has been brought in) that is trying to infect ours
or is scanning them, attacking them ... we've been checking for any malware
associated with 04-011 and 04-012 but we do not find a thing ... quiet worry
some. I hope to gain access to the firewall next week ...


Thx for your time.


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl...
> Patch them all with critical updates - this is a must.
>
> What kind of firewall, and what inbound ports are open?
>
>
> workinghard@news.postalias wrote:
> > Hello,
> >
> > All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
> > onwards show the sasser symptoms since 02/08/2004 (same shutdown
> > message etc....). No sasser or variants (bobax etc ...) found what so
> > ever with any tool or manually on any machine. Patching with MS04-011
> > and higher has helped to remediate the problem. Since we can not
> > locate the origin of the problem (we don't find any worm) what might
> > be exploiting this vunerability. Any remote tools to exploit the
> > vunerability? Our one and only network admin, the only one who has
> > access to that level is away ... no firewall logs or networkscans
> > available ...
> >
> > Any info or pointers would be great,
> >
> > Thx
>
>

workinghard@news.postalias wrote:
> Hello,
>
> They have all been patched. I straightend that out straight away.
> That made the issue go away, nut there must be something causing it.
> I have no control over the fire wall. Admin is notavailable. It's
> checkpoint. As far as I know if the session is initiated from the
> client it will pass any communication. I tend to believe that we
> have somwhere an internal machine (or external machine that has been
> brought in) that is trying to infect ours or is scanning them,
> attacking them ...

Very likely. Keep everyone patched all the time! Got SUS in place?

> we've been checking for any malware associated
> with 04-011 and 04-012 but we do not find a thing ... quiet worry
> some. I hope to gain access to the firewall next week ...

You can try a scan to see what ports are open from the Internet - try
www.grc.com for one.
>
>
> Thx for your time.
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> message news:ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl...
>> Patch them all with critical updates - this is a must.
>>
>> What kind of firewall, and what inbound ports are open?
>>
>>
>> workinghard@news.postalias wrote:
>>> Hello,
>>>
>>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
>>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
>>> message etc....). No sasser or variants (bobax etc ...) found what
>>> so ever with any tool or manually on any machine. Patching with
>>> MS04-011 and higher has helped to remediate the problem. Since we
>>> can not locate the origin of the problem (we don't find any worm)
>>> what might be exploiting this vunerability. Any remote tools to
>>> exploit the vunerability? Our one and only network admin, the only
>>> one who has access to that level is away ... no firewall logs or
>>> networkscans available ...
>>>
>>> Any info or pointers would be great,
>>>
>>> Thx

Hi,

Thank you for posting!

First, I strongly agree with Lanwench that you must patch all clients with
all security updates. This can secure your network and all of the clients.

For the Sasser virus, as I know, Sasser virus has several variants, you may
download the tool from

http://www.microsoft.com/downloads/...de7e-1b6b-4fc3-
90d4-9fa42d14cc17&displaylang=en

to make it sure that no Sasser and its variants exists on your clients. On
the firewall side, if you are using Internet Security and Acceleration
Server from Microsoft, the below article might be helpful for you.

http://www.microsoft.com/isaserver/...vent/sasser.asp

Have a nice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| From: "Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com>
| References: <#3S8oIZeEHA.1424@tk2msftngp13.phx.gbl>
<ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl>
<eu3OEgeeEHA.2544@TK2MSFTNGP10.phx.gbl>
| Subject: Re: Sasser Like behaviour
| Date: Wed, 4 Aug 2004 10:23:54 -0400
| Lines: 52
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl>
| Newsgroups: microsoft.public.windowsxp.security_admin
| NNTP-Posting-Host: 66-108-253-239.nyc.rr.com 66.108.253.239
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.windowsxp.security_admin:137167
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| workinghard@news.postalias wrote:
| > Hello,
| >
| > They have all been patched. I straightend that out straight away.
| > That made the issue go away, nut there must be something causing it.
| > I have no control over the fire wall. Admin is notavailable. It's
| > checkpoint. As far as I know if the session is initiated from the
| > client it will pass any communication. I tend to believe that we
| > have somwhere an internal machine (or external machine that has been
| > brought in) that is trying to infect ours or is scanning them,
| > attacking them ...
|
| Very likely. Keep everyone patched all the time! Got SUS in place?
|
| > we've been checking for any malware associated
| > with 04-011 and 04-012 but we do not find a thing ... quiet worry
| > some. I hope to gain access to the firewall next week ...
|
| You can try a scan to see what ports are open from the Internet - try
| www.grc.com for one.
| >
| >
| > Thx for your time.
| >
| >
| > "Lanwench [MVP - Exchange]"
| > <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
| > message news:ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl...
| >> Patch them all with critical updates - this is a must.
| >>
| >> What kind of firewall, and what inbound ports are open?
| >>
| >>
| >> workinghard@news.postalias wrote:
| >>> Hello,
| >>>
| >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
| >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
| >>> message etc....). No sasser or variants (bobax etc ...) found what
| >>> so ever with any tool or manually on any machine. Patching with
| >>> MS04-011 and higher has helped to remediate the problem. Since we
| >>> can not locate the origin of the problem (we don't find any worm)
| >>> what might be exploiting this vunerability. Any remote tools to
| >>> exploit the vunerability? Our one and only network admin, the only
| >>> one who has access to that level is away ... no firewall logs or
| >>> networkscans available ...
| >>>
| >>> Any info or pointers would be great,
| >>>
| >>> Thx
|
|
|

Hello there,

All machines are fully patched, SUS is inplace and working, testing SP2 RC2
for XP for our new roll out (planning to be a 99 % XP SP2 shop by October
2004)... awaiting eagerly WUS ... which looks very promissing.

I really would like to find the culprit, just to prove to upper management
I'm more than a nagging sysadmin. No tool is indicating any infection on
the machines we tested ... I hope to get the network guy in next week for
access to the firewall logs and some sniffing (I'm legally not allowed to
do it).

Thanks for your input (and you as well Feng Mao)

I'll post back any findings on the cause


"Lanwench [MVP - Exchange]"
<lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl...
> workinghard@news.postalias wrote:
> > Hello,
> >
> > They have all been patched. I straightend that out straight away.
> > That made the issue go away, nut there must be something causing it.
> > I have no control over the fire wall. Admin is notavailable. It's
> > checkpoint. As far as I know if the session is initiated from the
> > client it will pass any communication. I tend to believe that we
> > have somwhere an internal machine (or external machine that has been
> > brought in) that is trying to infect ours or is scanning them,
> > attacking them ...
>
> Very likely. Keep everyone patched all the time! Got SUS in place?
>
> > we've been checking for any malware associated
> > with 04-011 and 04-012 but we do not find a thing ... quiet worry
> > some. I hope to gain access to the firewall next week ...
>
> You can try a scan to see what ports are open from the Internet - try
> www.grc.com for one.
> >
> >
> > Thx for your time.
> >
> >
> > "Lanwench [MVP - Exchange]"
> > <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> > message news:ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl...
> >> Patch them all with critical updates - this is a must.
> >>
> >> What kind of firewall, and what inbound ports are open?
> >>
> >>
> >> workinghard@news.postalias wrote:
> >>> Hello,
> >>>
> >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
> >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
> >>> message etc....). No sasser or variants (bobax etc ...) found what
> >>> so ever with any tool or manually on any machine. Patching with
> >>> MS04-011 and higher has helped to remediate the problem. Since we
> >>> can not locate the origin of the problem (we don't find any worm)
> >>> what might be exploiting this vunerability. Any remote tools to
> >>> exploit the vunerability? Our one and only network admin, the only
> >>> one who has access to that level is away ... no firewall logs or
> >>> networkscans available ...
> >>>
> >>> Any info or pointers would be great,
> >>>
> >>> Thx
>
>

Hi,

Personally think that it will be better to convince the upper management
that the clients which are applied the security update will not be affected
by the virus any more.

As no virus can be found in the clients in your network, possibly it comes
out of firewall. Feel free to post back if there is any findings.

Have anice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| From: <workinghard@news.postalias>
| References: <#3S8oIZeEHA.1424@tk2msftngp13.phx.gbl>
<ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl>
<eu3OEgeeEHA.2544@TK2MSFTNGP10.phx.gbl>
<uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl>
| Subject: Re: Sasser Like behaviour
| Date: Wed, 4 Aug 2004 20:58:22 +0200
| Lines: 74
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <Ou7#UUleEHA.3428@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.windowsxp.security_admin
| NNTP-Posting-Host: u212-239-159-43.adsl.scarlet.be 212.239.159.43
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.security_admin:137694
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Hello there,
|
| All machines are fully patched, SUS is inplace and working, testing SP2
RC2
| for XP for our new roll out (planning to be a 99 % XP SP2 shop by October
| 2004)... awaiting eagerly WUS ... which looks very promissing.
|
| I really would like to find the culprit, just to prove to upper management
| I'm more than a nagging sysadmin. No tool is indicating any infection on
| the machines we tested ... I hope to get the network guy in next week for
| access to the firewall logs and some sniffing (I'm legally not allowed to
| do it).
|
| Thanks for your input (and you as well Feng Mao)
|
| I'll post back any findings on the cause
|
|
| "Lanwench [MVP - Exchange]"
| <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
message
| news:uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl...
| > workinghard@news.postalias wrote:
| > > Hello,
| > >
| > > They have all been patched. I straightend that out straight away.
| > > That made the issue go away, nut there must be something causing it.
| > > I have no control over the fire wall. Admin is notavailable. It's
| > > checkpoint. As far as I know if the session is initiated from the
| > > client it will pass any communication. I tend to believe that we
| > > have somwhere an internal machine (or external machine that has been
| > > brought in) that is trying to infect ours or is scanning them,
| > > attacking them ...
| >
| > Very likely. Keep everyone patched all the time! Got SUS in place?
| >
| > > we've been checking for any malware associated
| > > with 04-011 and 04-012 but we do not find a thing ... quiet worry
| > > some. I hope to gain access to the firewall next week ...
| >
| > You can try a scan to see what ports are open from the Internet - try
| > www.grc.com for one.
| > >
| > >
| > > Thx for your time.
| > >
| > >
| > > "Lanwench [MVP - Exchange]"
| > > <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
| > > message news:ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl...
| > >> Patch them all with critical updates - this is a must.
| > >>
| > >> What kind of firewall, and what inbound ports are open?
| > >>
| > >>
| > >> workinghard@news.postalias wrote:
| > >>> Hello,
| > >>>
| > >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
| > >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
| > >>> message etc....). No sasser or variants (bobax etc ...) found what
| > >>> so ever with any tool or manually on any machine. Patching with
| > >>> MS04-011 and higher has helped to remediate the problem. Since we
| > >>> can not locate the origin of the problem (we don't find any worm)
| > >>> what might be exploiting this vunerability. Any remote tools to
| > >>> exploit the vunerability? Our one and only network admin, the only
| > >>> one who has access to that level is away ... no firewall logs or
| > >>> networkscans available ...
| > >>>
| > >>> Any info or pointers would be great,
| > >>>
| > >>> Thx
| >
| >
|
|
|

If patching with the recent critical updates has helped, the source of the
problem is most likely from the internet...

The Sasser virus can be seen in the Security tab as a set of codes that take
ownership of the computer... if an account with the capability to take
ownership
is available this can be the way to remove the Sasser if you find it is
present.
To make sure the Sasser virus is/not present, scan in the following
Microsoft page..
http://www.microsoft.com/security/incident/sasser.mspx

In the Windows Explorer go to "Tools", "Folder Options". Click on the
"View"
tab and scroll down to the bottom of the "Advanced Settings" box. You'll
see an option
called "Use Simple File Share (Recommended), and uncheck it. Now, go to the
C:\drive Properties\Security\ensure that you have administrative rights on
the drive.
If you don't have them, then take control and add yourself to the
permissions dialog with
"Full Control" if not posible try to take Ownership of the drive.. an
administrative account
may be needed for this purpose...
HOW TO: Take Ownership of Files and Folders.
http://support.microsoft.com/defaul...1&Product=winxp

If the Sasser is not found, a hackers exploit tool could be in the system,
running
spyware programs will remove it....

Spybot Search and Destroy (Free!)
http://www.safer-networking.net/

Lavasoft AdAware (Free and up)
http://www.lavasoft.de

CWSShredder (Free!)
http://www.spywareinfo.com/~merijn/downloads.html

Hijack This! (Free)
http://mjc1.com/mirror/hjt/
( Tutorial: http://www.spywareinfo.com/~merijn/htlogtutorial.html )

SpywareBlaster (Free!)
http://www.javacoolsoftware.com/

The Cleaner (49.95 and up)
http://www.moosoft.com/

If you have a local administrator account available, it may be posible
to use it and change the network admin password to have access to
the firewall logs and network scans.... If this is not posible a standard
user (not limited) usually has the capability to install programs,
install a third party firewall which can indicate where the problem
originates.

To locate the origin of the problem install a third party firewall, it will
indicate
where the problem originates.

ZoneAlarm (Free)
http://www.zonelabs.com/store/conte...reeDownload.jsp

Kerio Personal Firewall (KPF) (Free)
http://www.kerio.com/kpf_download.html

Outpost Firewall from Agnitum (Free)
http://www.agnitum.com/download/

Sygate Personal Firewall (Free)
http://smb.sygate.com/buy/download_buy.htm


------------Original Message--------------
<workinghard@news.postalias> escribió en el mensaje
news:%233S8oIZeEHA.1424@tk2msftngp13.phx.gbl...
> Hello,
>
> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and onwards
show
> the sasser symptoms since 02/08/2004 (same shutdown message etc....). No
> sasser or variants (bobax etc ...) found what so ever with any tool or
> manually on any machine. Patching with MS04-011 and higher has helped to
> remediate the problem. Since we can not locate the origin of the problem
(we
> don't find any worm) what might be exploiting this vunerability. Any
remote
> tools to exploit the vunerability? Our one and only network admin, the
only
> one who has access to that level is away ... no firewall logs or
> networkscans available ...
>
> Any info or pointers would be great,
>
> Thx
>
>

Hello,

We have found the culprit. External Sales Rep with a contaminated laptop:
Korgo.g worm ... (6251 files infected!)

Thx for your input.


"Feng Mao" <fengmao@online.microsoft.com> wrote in message
news:j5zu1XpeEHA.2932@cpmsftngxa06.phx.gbl...
> Hi,
>
> Personally think that it will be better to convince the upper management
> that the clients which are applied the security update will not be
> affected
> by the virus any more.
>
> As no virus can be found in the clients in your network, possibly it comes
> out of firewall. Feel free to post back if there is any findings.
>
> Have anice day!
>
> Thanks & Regards,
>
> Feng Mao [MSFT], MCSE
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>
>
>
> --------------------
> | From: <workinghard@news.postalias>
> | References: <#3S8oIZeEHA.1424@tk2msftngp13.phx.gbl>
> <ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl>
> <eu3OEgeeEHA.2544@TK2MSFTNGP10.phx.gbl>
> <uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl>
> | Subject: Re: Sasser Like behaviour
> | Date: Wed, 4 Aug 2004 20:58:22 +0200
> | Lines: 74
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> | Message-ID: <Ou7#UUleEHA.3428@TK2MSFTNGP11.phx.gbl>
> | Newsgroups: microsoft.public.windowsxp.security_admin
> | NNTP-Posting-Host: u212-239-159-43.adsl.scarlet.be 212.239.159.43
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl
> microsoft.public.windowsxp.security_admin:137694
> | X-Tomcat-NG: microsoft.public.windowsxp.security_admin
> |
> | Hello there,
> |
> | All machines are fully patched, SUS is inplace and working, testing SP2
> RC2
> | for XP for our new roll out (planning to be a 99 % XP SP2 shop by
> October
> | 2004)... awaiting eagerly WUS ... which looks very promissing.
> |
> | I really would like to find the culprit, just to prove to upper
> management
> | I'm more than a nagging sysadmin. No tool is indicating any infection
> on
> | the machines we tested ... I hope to get the network guy in next week
> for
> | access to the firewall logs and some sniffing (I'm legally not allowed
> to
> | do it).
> |
> | Thanks for your input (and you as well Feng Mao)
> |
> | I'll post back any findings on the cause
> |
> |
> | "Lanwench [MVP - Exchange]"
> | <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> message
> | news:uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl...
> | > workinghard@news.postalias wrote:
> | > > Hello,
> | > >
> | > > They have all been patched. I straightend that out straight away.
> | > > That made the issue go away, nut there must be something causing it.
> | > > I have no control over the fire wall. Admin is notavailable. It's
> | > > checkpoint. As far as I know if the session is initiated from the
> | > > client it will pass any communication. I tend to believe that we
> | > > have somwhere an internal machine (or external machine that has been
> | > > brought in) that is trying to infect ours or is scanning them,
> | > > attacking them ...
> | >
> | > Very likely. Keep everyone patched all the time! Got SUS in place?
> | >
> | > > we've been checking for any malware associated
> | > > with 04-011 and 04-012 but we do not find a thing ... quiet worry
> | > > some. I hope to gain access to the firewall next week ...
> | >
> | > You can try a scan to see what ports are open from the Internet - try
> | > www.grc.com for one.
> | > >
> | > >
> | > > Thx for your time.
> | > >
> | > >
> | > > "Lanwench [MVP - Exchange]"
> | > > <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
> | > > message news:ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl...
> | > >> Patch them all with critical updates - this is a must.
> | > >>
> | > >> What kind of firewall, and what inbound ports are open?
> | > >>
> | > >>
> | > >> workinghard@news.postalias wrote:
> | > >>> Hello,
> | > >>>
> | > >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
> | > >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
> | > >>> message etc....). No sasser or variants (bobax etc ...) found what
> | > >>> so ever with any tool or manually on any machine. Patching with
> | > >>> MS04-011 and higher has helped to remediate the problem. Since we
> | > >>> can not locate the origin of the problem (we don't find any worm)
> | > >>> what might be exploiting this vunerability. Any remote tools to
> | > >>> exploit the vunerability? Our one and only network admin, the only
> | > >>> one who has access to that level is away ... no firewall logs or
> | > >>> networkscans available ...
> | > >>>
> | > >>> Any info or pointers would be great,
> | > >>>
> | > >>> Thx
> | >
> | >
> |
> |
> |
>

Hi,

I am glad to hear that you have figured out the culprit. Feel free to post
your question in the future.

Have a nice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| From: <workinghard@news.postalias>
| References: <#3S8oIZeEHA.1424@tk2msftngp13.phx.gbl>
<ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl>
<eu3OEgeeEHA.2544@TK2MSFTNGP10.phx.gbl>
<uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl>
<Ou7#UUleEHA.3428@TK2MSFTNGP11.phx.gbl>
<j5zu1XpeEHA.2932@cpmsftngxa06.phx.gbl>
| Subject: Re: Sasser Like behaviour
| Date: Thu, 12 Aug 2004 20:59:23 +0200
| Lines: 144
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <ORAwJ6JgEHA.3416@TK2MSFTNGP09.phx.gbl>
| Newsgroups: microsoft.public.windowsxp.security_admin
| NNTP-Posting-Host: u81-11-141-12.adsl.scarlet.be 81.11.141.12
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.security_admin:138831
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Hello,
|
| We have found the culprit. External Sales Rep with a contaminated
laptop:
| Korgo.g worm ... (6251 files infected!)
|
| Thx for your input.
|
|
| "Feng Mao" <fengmao@online.microsoft.com> wrote in message
| news:j5zu1XpeEHA.2932@cpmsftngxa06.phx.gbl...
| > Hi,
| >
| > Personally think that it will be better to convince the upper management
| > that the clients which are applied the security update will not be
| > affected
| > by the virus any more.
| >
| > As no virus can be found in the clients in your network, possibly it
comes
| > out of firewall. Feel free to post back if there is any findings.
| >
| > Have anice day!
| >
| > Thanks & Regards,
| >
| > Feng Mao [MSFT], MCSE
| > Microsoft Online Partner Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| > --------------------
| > | From: <workinghard@news.postalias>
| > | References: <#3S8oIZeEHA.1424@tk2msftngp13.phx.gbl>
| > <ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl>
| > <eu3OEgeeEHA.2544@TK2MSFTNGP10.phx.gbl>
| > <uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl>
| > | Subject: Re: Sasser Like behaviour
| > | Date: Wed, 4 Aug 2004 20:58:22 +0200
| > | Lines: 74
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| > | Message-ID: <Ou7#UUleEHA.3428@TK2MSFTNGP11.phx.gbl>
| > | Newsgroups: microsoft.public.windowsxp.security_admin
| > | NNTP-Posting-Host: u212-239-159-43.adsl.scarlet.be 212.239.159.43
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| > microsoft.public.windowsxp.security_admin:137694
| > | X-Tomcat-NG: microsoft.public.windowsxp.security_admin
| > |
| > | Hello there,
| > |
| > | All machines are fully patched, SUS is inplace and working, testing
SP2
| > RC2
| > | for XP for our new roll out (planning to be a 99 % XP SP2 shop by
| > October
| > | 2004)... awaiting eagerly WUS ... which looks very promissing.
| > |
| > | I really would like to find the culprit, just to prove to upper
| > management
| > | I'm more than a nagging sysadmin. No tool is indicating any
infection
| > on
| > | the machines we tested ... I hope to get the network guy in next week
| > for
| > | access to the firewall logs and some sniffing (I'm legally not
allowed
| > to
| > | do it).
| > |
| > | Thanks for your input (and you as well Feng Mao)
| > |
| > | I'll post back any findings on the cause
| > |
| > |
| > | "Lanwench [MVP - Exchange]"
| > | <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in
| > message
| > | news:uynJJIjeEHA.2560@TK2MSFTNGP09.phx.gbl...
| > | > workinghard@news.postalias wrote:
| > | > > Hello,
| > | > >
| > | > > They have all been patched. I straightend that out straight away.
| > | > > That made the issue go away, nut there must be something causing
it.
| > | > > I have no control over the fire wall. Admin is notavailable.
It's
| > | > > checkpoint. As far as I know if the session is initiated from the
| > | > > client it will pass any communication. I tend to believe that we
| > | > > have somwhere an internal machine (or external machine that has
been
| > | > > brought in) that is trying to infect ours or is scanning them,
| > | > > attacking them ...
| > | >
| > | > Very likely. Keep everyone patched all the time! Got SUS in place?
| > | >
| > | > > we've been checking for any malware associated
| > | > > with 04-011 and 04-012 but we do not find a thing ... quiet worry
| > | > > some. I hope to gain access to the firewall next week ...
| > | >
| > | > You can try a scan to see what ports are open from the Internet -
try
| > | > www.grc.com for one.
| > | > >
| > | > >
| > | > > Thx for your time.
| > | > >
| > | > >
| > | > > "Lanwench [MVP - Exchange]"
| > | > > <lanwench@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote
in
| > | > > message news:ehVj5ybeEHA.4068@TK2MSFTNGP11.phx.gbl...
| > | > >> Patch them all with critical updates - this is a must.
| > | > >>
| > | > >> What kind of firewall, and what inbound ports are open?
| > | > >>
| > | > >>
| > | > >> workinghard@news.postalias wrote:
| > | > >>> Hello,
| > | > >>>
| > | > >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
| > | > >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
| > | > >>> message etc....). No sasser or variants (bobax etc ...) found
what
| > | > >>> so ever with any tool or manually on any machine. Patching with
| > | > >>> MS04-011 and higher has helped to remediate the problem. Since
we
| > | > >>> can not locate the origin of the problem (we don't find any
worm)
| > | > >>> what might be exploiting this vunerability. Any remote tools to
| > | > >>> exploit the vunerability? Our one and only network admin, the
only
| > | > >>> one who has access to that level is away ... no firewall logs or
| > | > >>> networkscans available ...
| > | > >>>
| > | > >>> Any info or pointers would be great,
| > | > >>>
| > | > >>> Thx
| > | >
| > | >
| > |
| > |
| > |
| >
|
|
|