lsass/dcom problem - possible virus?

[John]

Can anyone lend a hand? My PC running Win2K has started
warning me of lsass.exe errors and imminent shutdown -
lsass stops running but shutdown never occurs. However, I
note the following error message in the system events
log...

Access denied attempting to launch a DCOM Server using
DefaultLaunchPermssion. The server is:
{00020906-0000-0000-C000-000000000046}
The user is Unavailable/Unavailable, SID=Unavailable.

....and I lose listings of local users & groups, along with
my permissions to shut down the system. After a hardware
shutdown, the system seems to function for a short while,
but then the error occurs again.

I have run Sophos Anti-Virus several times with the very
latest virus id's, and all seems clear. Can anybody offer
a novice like me some advice?

 

[Peter van der Woude]

McAfee identifies this as the new WM32/Sasser.worm
http://vil.nai.com/vil/content/v_125007.htm

Peter

 

[John]

Windows patch seems to do the trick, but Stinger did not
identify any virus - nor could I find any of the
suspicious looking files on my PC. Given the number of
complaints of this nature on this board, seems it isn't a
simple error no my machine - Interesting - perhaps this
this is a novel form of attack.

 

[Jason Hall [MSFT]]

--------------------

Content-Class: urn:content-classes:message
From: "John" <[email protected]>
Sender: "John" <[email protected]>
References: <[email protected]>

Subject: Re: lsass/dcom problem - possible virus?
Date: Sat, 1 May 2004 13:14:13 -0700

Windows patch seems to do the trick, but Stinger did not
identify any virus - nor could I find any of the
suspicious looking files on my PC. Given the number of
complaints of this nature on this board, seems it isn't a
simple error no my machine - Interesting - perhaps this
this is a novel form of attack.

Sasser info:
====================
http://sarc.com/avcenter/venc/data/w32.sasser.worm.html

Sasser removal tool:
====================
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.t
ool.html

Manual Sasser removal:
=====================
Use the Task manager to kill the following processes:
*_up.exe
avserv*.exe
hkey.exe
msiwin84.exe
wmiprvsw.exe
Use Regedit from the command line to look for and remove any of the the
following keys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"avserve.exe" = C:\WINDOWS\avserve.exe
HLKM\Software\Microsoft\Windows\CurrentVersion\Run
"windows"="hkey.exe"
"Microsoft Update"="msiwin84.exe"
"System Updater Service"="wmiprvsw.exe"
"avserve2.exe = %WINDIR%\avserve2.exe"

Search for & delete the following files from the harddrive:
C:\WINDOWS\avserv*.exe
c:\WINDOWS\system32\*_up.exe
avserve*.exe
hkey.exe
msiwin84.exe
wmiprvsw.exe


--
~~ JASON HALL ~~
~ Performance Support Specialist,
~ Microsoft Enterprise Platforms Support
~ This posting is provided "AS IS" with no warranties, and confers no
rights.
~ Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
~ Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.