lsass.exe worm

  • Thread starter Thread starter Selarom De Janerio
  • Start date Start date
S

Selarom De Janerio

we got affected by this today on our 2000 workstations.
is there an automated way to push down the updates for this?

regards -
 
Selarom said:
we got affected by this today on our 2000 workstations.
is there an automated way to push down the updates for this?

regards -

Not without SUS or something similar.
Standard boilerplate follows:

You've been infected by the Sasser worm or variant. This means you didn't
apply Windows Updates (at least not very recently - patch for this came out
April 13 2004) and don't have a firewall enabled....

For WinXP: If you can't stop your computer from restarting:

As soon as your computer reboots and Windows loads, click Start, then Run.
In the box, type the following:

shutdown -a (then click OK)

[for Win2k, shutdown.exe is part of the resource kit and the correct syntax
is
shutdown /a]

Then see http://www.microsoft.com/security/incident/sasser.asp and
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

McAfee's Stinger tool to remove Sasser: http://vil.nai.com/vil/stinger/

MS removal tool for Windows 2000 SP2 and up, or Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

Enable your XP firewall (or get a third party one if not on XP or even if
so - www.zonealarm.com has a free one) - if you're on a network, you need a
good perimeter firewall anyway. Run Windows Update regularly to
keep your OS patched to the gills. You also need good antivirus software and
need to keep it updated regularly. As mentioned, the patch for this exploit
was released April 13th...but there are plenty you do need. Perhaps want to
enable the autoupdate feature of Windows Update and subscribe to the
security bulletin announcements at www.microsoft.com/security.
 
Lanwench.

I distribute all patches and HotFixes that are corp. requirements via our Login Script which
is based upon the kixtart script Interpreter.

Many OS patches use the syantax; PATCH.EXE -z -n -q

This allows installations that, are quiet (no screens), rquires no reboot and requires no
user intervention.

In the situation where there were *multiple* GDI DLL fixes for the JPEG vulnerability, the
above was not the case. In those cases all the patches wre self extracting ZIP files. I
used WinZIP to extract the contents of the EXE. The patches were based around OHOTFIX.EXE
and I put that command in the script uses its switch parameters.

Since *all* my LAN users must login to the Domain, and run the Login Script, they all get
the updates. If needed, i can reboot the platform useing the Kix command; shutdown()

Dave





"Lanwench [MVP - Exchange]" <[email protected]>
wrote in message | Selarom De Janerio wrote:
| > we got affected by this today on our 2000 workstations.
| > is there an automated way to push down the updates for this?
| >
| > regards -
|
| Not without SUS or something similar.
| Standard boilerplate follows:
|
| You've been infected by the Sasser worm or variant. This means you didn't
| apply Windows Updates (at least not very recently - patch for this came out
| April 13 2004) and don't have a firewall enabled....
|
| For WinXP: If you can't stop your computer from restarting:
|
| As soon as your computer reboots and Windows loads, click Start, then Run.
| In the box, type the following:
|
| shutdown -a (then click OK)
|
| [for Win2k, shutdown.exe is part of the resource kit and the correct syntax
| is
| shutdown /a]
|
| Then see http://www.microsoft.com/security/incident/sasser.asp and
| http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
|
| McAfee's Stinger tool to remove Sasser: http://vil.nai.com/vil/stinger/
|
| MS removal tool for Windows 2000 SP2 and up, or Windows XP:
| http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720
|
| Enable your XP firewall (or get a third party one if not on XP or even if
| so - www.zonealarm.com has a free one) - if you're on a network, you need a
| good perimeter firewall anyway. Run Windows Update regularly to
| keep your OS patched to the gills. You also need good antivirus software and
| need to keep it updated regularly. As mentioned, the patch for this exploit
| was released April 13th...but there are plenty you do need. Perhaps want to
| enable the autoupdate feature of Windows Update and subscribe to the
| security bulletin announcements at www.microsoft.com/security.
|
|
 
David said:
Lanwench.

I distribute all patches and HotFixes that are corp. requirements via
our Login Script which is based upon the kixtart script Interpreter.

Many OS patches use the syantax; PATCH.EXE -z -n -q

This allows installations that, are quiet (no screens), rquires no
reboot and requires no user intervention.

In the situation where there were *multiple* GDI DLL fixes for the
JPEG vulnerability, the above was not the case. In those cases all
the patches wre self extracting ZIP files. I used WinZIP to extract
the contents of the EXE. The patches were based around OHOTFIX.EXE
and I put that command in the script uses its switch parameters.

Since *all* my LAN users must login to the Domain, and run the Login
Script, they all get the updates. If needed, i can reboot the
platform useing the Kix command; shutdown()

Dave

Sounds excellent! Personally, I like SUS...but if your method works for you,
good on ya. :)
"Lanwench [MVP - Exchange]"
Selarom said:
we got affected by this today on our 2000 workstations.
is there an automated way to push down the updates for this?

regards -

Not without SUS or something similar.
Standard boilerplate follows:

You've been infected by the Sasser worm or variant. This means you
didn't apply Windows Updates (at least not very recently - patch for
this came out April 13 2004) and don't have a firewall enabled....

For WinXP: If you can't stop your computer from restarting:

As soon as your computer reboots and Windows loads, click Start,
then Run. In the box, type the following:

shutdown -a (then click OK)

[for Win2k, shutdown.exe is part of the resource kit and the correct
syntax is
shutdown /a]

Then see http://www.microsoft.com/security/incident/sasser.asp and
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

McAfee's Stinger tool to remove Sasser:
http://vil.nai.com/vil/stinger/

MS removal tool for Windows 2000 SP2 and up, or Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

Enable your XP firewall (or get a third party one if not on XP or
even if so - www.zonealarm.com has a free one) - if you're on a
network, you need a good perimeter firewall anyway. Run Windows
Update regularly to
keep your OS patched to the gills. You also need good antivirus
software and need to keep it updated regularly. As mentioned, the
patch for this exploit was released April 13th...but there are
plenty you do need. Perhaps want to enable the autoupdate feature of
Windows Update and subscribe to the security bulletin announcements
at www.microsoft.com/security.
 
thnx guys

"Lanwench [MVP - Exchange]"
David said:
Lanwench.

I distribute all patches and HotFixes that are corp. requirements via
our Login Script which is based upon the kixtart script Interpreter.

Many OS patches use the syantax; PATCH.EXE -z -n -q

This allows installations that, are quiet (no screens), rquires no
reboot and requires no user intervention.

In the situation where there were *multiple* GDI DLL fixes for the
JPEG vulnerability, the above was not the case. In those cases all
the patches wre self extracting ZIP files. I used WinZIP to extract
the contents of the EXE. The patches were based around OHOTFIX.EXE
and I put that command in the script uses its switch parameters.

Since *all* my LAN users must login to the Domain, and run the Login
Script, they all get the updates. If needed, i can reboot the
platform useing the Kix command; shutdown()

Dave

Sounds excellent! Personally, I like SUS...but if your method works for you,
good on ya. :)
"Lanwench [MVP - Exchange]"
Selarom De Janerio wrote:
we got affected by this today on our 2000 workstations.
is there an automated way to push down the updates for this?

regards -

Not without SUS or something similar.
Standard boilerplate follows:

You've been infected by the Sasser worm or variant. This means you
didn't apply Windows Updates (at least not very recently - patch for
this came out April 13 2004) and don't have a firewall enabled....

For WinXP: If you can't stop your computer from restarting:

As soon as your computer reboots and Windows loads, click Start,
then Run. In the box, type the following:

shutdown -a (then click OK)

[for Win2k, shutdown.exe is part of the resource kit and the correct
syntax is
shutdown /a]

Then see http://www.microsoft.com/security/incident/sasser.asp and
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

McAfee's Stinger tool to remove Sasser:
http://vil.nai.com/vil/stinger/

MS removal tool for Windows 2000 SP2 and up, or Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

Enable your XP firewall (or get a third party one if not on XP or
even if so - www.zonealarm.com has a free one) - if you're on a
network, you need a good perimeter firewall anyway. Run Windows
Update regularly to
keep your OS patched to the gills. You also need good antivirus
software and need to keep it updated regularly. As mentioned, the
patch for this exploit was released April 13th...but there are
plenty you do need. Perhaps want to enable the autoupdate feature of
Windows Update and subscribe to the security bulletin announcements
at www.microsoft.com/security.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Back
Top