Is there some new version of the blaster worm around?

[news.rcn.com]

I am having a known problem in an unknown area: My Windows 2000 1.6 GHz AMD
K6 Compaq machine is continuously rebooting. The new problem appears to be
that it doesn't revolve in a continuous loop, the machine works for anything
from a few seconds to a few minutes before automatically rebooting. I
haven't found any reference to this on line

And it DOES connect to the Internet. I did manage to download multi_av and
run Trend and Kaspersky. Trend and Kaspersky found nothing, both in normal
and safe modes. I then tried to run Sophos and was running when I went to
bed, after which I woke up the next morning and found the computer at the
log in screen again, which indicates either that it found nothing or that it
simply rebooted before Sophos could find anything

Has anyone seen this before?

 

[David H. Lipman]

From: "news.rcn.com" <news.rnc.com>

| I am having a known problem in an unknown area: My Windows 2000 1.6 GHz AMD
| K6 Compaq machine is continuously rebooting. The new problem appears to be
| that it doesn't revolve in a continuous loop, the machine works for anything
| from a few seconds to a few minutes before automatically rebooting. I
| haven't found any reference to this on line
|
| And it DOES connect to the Internet. I did manage to download multi_av and
| run Trend and Kaspersky. Trend and Kaspersky found nothing, both in normal
| and safe modes. I then tried to run Sophos and was running when I went to
| bed, after which I woke up the next morning and found the computer at the
| log in screen again, which indicates either that it found nothing or that it
| simply rebooted before Sophos could find anything
|
| Has anyone seen this before?
|

Worms such as Lovsan/Blaster and DSasser and their successors; SDBot, RBot, GAOBot, MyTob,
RadeBot, etc... would generate a 60 sec. NT AUTHORITY\SYSTEM shutdown message such as...

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

or

NT AUTHORITY\SYSTEM
Windows must now restart becuase the Remote Procedure Call (RPC) service terminated
unexpectiedly.

With the RPC message, you can get that for "other" reasons not realted to worm activity.

In all the above casees TCP protocols are exploited. TCP port 135 for RPC/RPCSS DCOM and
TCP port 445 for the LSASS module. Using a simple NAT Router such as the Linksys BEFSR41
greatly mitigates such internet worm port exploitations.

You have NOT shown any substantiating information to show this is worm exploitation.

Most system aut-reboots are caused by hardware problems. CPU, RAM modules, CPU fan, etc.

 

[David H. Lipman]

From: "news.rcn.com" <news.rnc.com>

| I am having a known problem in an unknown area: My Windows 2000 1.6 GHz AMD
| K6 Compaq machine is continuously rebooting. The new problem appears to be
| that it doesn't revolve in a continuous loop, the machine works for anything
| from a few seconds to a few minutes before automatically rebooting. I
| haven't found any reference to this on line
|
| And it DOES connect to the Internet. I did manage to download multi_av and
| run Trend and Kaspersky. Trend and Kaspersky found nothing, both in normal
| and safe modes. I then tried to run Sophos and was running when I went to
| bed, after which I woke up the next morning and found the computer at the
| log in screen again, which indicates either that it found nothing or that it
| simply rebooted before Sophos could find anything
|
| Has anyone seen this before?
|

Worms such as Lovsan/Blaster and DSasser and their successors; SDBot, RBot, GAOBot, MyTob,
RadeBot, etc... would generate a 60 sec. NT AUTHORITY\SYSTEM shutdown message such as...

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

or

NT AUTHORITY\SYSTEM
Windows must now restart becuase the Remote Procedure Call (RPC) service terminated
unexpectiedly.

With the RPC message, you can get that for "other" reasons not realted to worm activity.

In all the above casees TCP protocols are exploited. TCP port 135 for RPC/RPCSS DCOM and
TCP port 445 for the LSASS module. Using a simple NAT Router such as the Linksys BEFSR41
greatly mitigates such internet worm port exploitations.

You have NOT shown any substantiating information to show this is worm exploitation.

Most system aut-reboots are caused by hardware problems. CPU, RAM modules, CPU fan, etc.

 

[Phil Weldon]

'news.rcn.com' wrote, in part:
| I am having a known problem in an unknown area: My Windows 2000 1.6 GHz
AMD
| K6 Compaq machine is continuously rebooting.
_____

Have you considered a hardware problem? That seems more likely than malware
since scans have found nothing.

Phil Weldon

"news.rcn.com" <news.rnc.com> wrote in message
|I am having a known problem in an unknown area: My Windows 2000 1.6 GHz AMD
| K6 Compaq machine is continuously rebooting. The new problem appears to be
| that it doesn't revolve in a continuous loop, the machine works for
anything
| from a few seconds to a few minutes before automatically rebooting. I
| haven't found any reference to this on line
|
| And it DOES connect to the Internet. I did manage to download multi_av and
| run Trend and Kaspersky. Trend and Kaspersky found nothing, both in
normal
| and safe modes. I then tried to run Sophos and was running when I went
to
| bed, after which I woke up the next morning and found the computer at the
| log in screen again, which indicates either that it found nothing or that
it
| simply rebooted before Sophos could find anything
|
| Has anyone seen this before?
|
|

 

[Phil Weldon]

'news.rcn.com' wrote, in part:
| I am having a known problem in an unknown area: My Windows 2000 1.6 GHz
AMD
| K6 Compaq machine is continuously rebooting.
_____

Have you considered a hardware problem? That seems more likely than malware
since scans have found nothing.

Phil Weldon

"news.rcn.com" <news.rnc.com> wrote in message
|I am having a known problem in an unknown area: My Windows 2000 1.6 GHz AMD
| K6 Compaq machine is continuously rebooting. The new problem appears to be
| that it doesn't revolve in a continuous loop, the machine works for
anything
| from a few seconds to a few minutes before automatically rebooting. I
| haven't found any reference to this on line
|
| And it DOES connect to the Internet. I did manage to download multi_av and
| run Trend and Kaspersky. Trend and Kaspersky found nothing, both in
normal
| and safe modes. I then tried to run Sophos and was running when I went
to
| bed, after which I woke up the next morning and found the computer at the
| log in screen again, which indicates either that it found nothing or that
it
| simply rebooted before Sophos could find anything
|
| Has anyone seen this before?
|
|

 

[news.rcn.com]

Have you considered a hardware problem? That seems more likely than
malware
since scans have found nothing.

I was a bit scared to think about that as I wouldn't know how to isolate it.
But I was suspicious as there is never an error message, just a simple shut
down and restart. Does the OS generate a log anywhere which might enlighten
me?

 

[news.rcn.com]

Have you considered a hardware problem? That seems more likely than
malware
since scans have found nothing.

I was a bit scared to think about that as I wouldn't know how to isolate it.
But I was suspicious as there is never an error message, just a simple shut
down and restart. Does the OS generate a log anywhere which might enlighten
me?

 

[Rhonda Lea Kirk]

I was a bit scared to think about that as I wouldn't know how to
isolate it. But I was suspicious as there is never an error message,
just a simple shut down and restart. Does the OS generate a log
anywhere which might enlighten me?

XP, I assume, otherwise you'll need to google for instructions:

System Properties-->Advanced-->Startup and Recovery (click "Settings").
Under "System Failure," untick the "Automatically Restart" box. You'll
then be able to get a look at the BSOD.

You might also want to check Event Viewer for error messages.

 

[Rhonda Lea Kirk]

I was a bit scared to think about that as I wouldn't know how to
isolate it. But I was suspicious as there is never an error message,
just a simple shut down and restart. Does the OS generate a log
anywhere which might enlighten me?

XP, I assume, otherwise you'll need to google for instructions:

System Properties-->Advanced-->Startup and Recovery (click "Settings").
Under "System Failure," untick the "Automatically Restart" box. You'll
then be able to get a look at the BSOD.

You might also want to check Event Viewer for error messages.

 

[Phil Weldon]

'news.rcn.com' wrote:
| I was a bit scared to think about that as I wouldn't know how to isolate
it.
| But I was suspicious as there is never an error message, just a simple
shut
| down and restart. Does the OS generate a log anywhere which might
enlighten
| me?
_____

Probably not. You report a reboot with no notice, so there is unlikely to
be any type of event entry. Just a guess, but what you have might be an
overheating problem or a power supply problem. You could check the CPU and
motherboard temperatures, and you could try swapping the power supply for a
known good supply. Since you write "as I wouldn't know how to isolate it",
consider warranty repair in applicable or a good computer repair shop. Also
you could try posting in a hardware oriented newsgroup; this really isn't
the place to get extensive help diagnosing a hardware problem. Sine you
have no positive indication of malware a hardware problem related to heat,
age, or failing power supply is likely.

Phil Weldon

"news.rcn.com" <news.rnc.com> wrote in message
|
| > Have you considered a hardware problem? That seems more likely than
| > malware
| > since scans have found nothing.
|
| I was a bit scared to think about that as I wouldn't know how to isolate
it.
| But I was suspicious as there is never an error message, just a simple
shut
| down and restart. Does the OS generate a log anywhere which might
enlighten
| me?
|
|

 

[Phil Weldon]

'news.rcn.com' wrote:
| I was a bit scared to think about that as I wouldn't know how to isolate
it.
| But I was suspicious as there is never an error message, just a simple
shut
| down and restart. Does the OS generate a log anywhere which might
enlighten
| me?
_____

Probably not. You report a reboot with no notice, so there is unlikely to
be any type of event entry. Just a guess, but what you have might be an
overheating problem or a power supply problem. You could check the CPU and
motherboard temperatures, and you could try swapping the power supply for a
known good supply. Since you write "as I wouldn't know how to isolate it",
consider warranty repair in applicable or a good computer repair shop. Also
you could try posting in a hardware oriented newsgroup; this really isn't
the place to get extensive help diagnosing a hardware problem. Sine you
have no positive indication of malware a hardware problem related to heat,
age, or failing power supply is likely.

Phil Weldon

"news.rcn.com" <news.rnc.com> wrote in message
|
| > Have you considered a hardware problem? That seems more likely than
| > malware
| > since scans have found nothing.
|
| I was a bit scared to think about that as I wouldn't know how to isolate
it.
| But I was suspicious as there is never an error message, just a simple
shut
| down and restart. Does the OS generate a log anywhere which might
enlighten
| me?
|
|