From: <
[email protected]>
| 1073741819 is the fault code
|
| popup says NTAuthotity\system will shut down the system because of
| fault 1073741819
|
| anyone know what that is?????????
| it has happened 3 or 4 times today.
If I get your correctly, what you are posting is incomplete !
If you are getting the following NT AUTHORITY\SYSTEM shutdown message...
NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819
Is indicative of an Internet worm trying to exploit the LSASS module of the OS via TCP port
445.
The Sasser worm is long since gone. It has been replaced by numerous other Internet worms
that have incorporated that exploit in their arsenal of infection vectors. It should be
noted that many subsequent BOT variants (SDBot, , AgoBOT, RBot, etc.) will try to exploit
BOTH the RPC/RPCSS DCOM and LSASS modules as vectors of infection.
You can stop the 60 sec. shutdown process.
In WinXP;
Go to; Start --> Run
enter; shutdown -a
Microsoft's LSASS vulnerability patch.
WinXP KB835732
http://www.microsoft.com/downloads/...9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en
Are you using WinXP SP2 ? WinXP SP2 has the above patch incorporated in it already. Thus
using WinXP SP2 mitigates this vulnerability. Additionally, the enhanced WinXP SP2 FireWall
should also help mitigate this type of TCP port exploitation. So does the use of a
Cable/DSL Router such as the Linksys BEFSR41. Using a NAT Router even on an un-patched
system will mitigate such an exploitation.
I have seen platforms get this error even if there is NO sign of infection.
Just in case, you can use the following tool. It is a broad-spectrum anti virus tool that
will catch the widest varieties of BOTs that may use this exploitation.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
http://www.ik-cs.com/multi-av.htm
Additional Instructions:
http://pcdid.com/Multi_AV.htm
* * * Please report back your results * * *