Sasser Like behaviour

[Guest]

Hello,

All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and onwards show
the sasser symptoms since 02/08/2004 (same shutdown message etc....). No
sasser or variants (bobax etc ...) found what so ever with any tool or
manually on any machine. Patching with MS04-011 and higher has helped to
remediate the problem. Since we can not locate the origin of the problem (we
don't find any worm) what might be exploiting this vunerability. Any remote
tools to exploit the vunerability? Our one and only network admin, the only
one who has access to that level is away ... no firewall logs or
networkscans available ...

Any info or pointers would be great,

Thx

 

[Lanwench [MVP - Exchange]]

Patch them all with critical updates - this is a must.

What kind of firewall, and what inbound ports are open?

 

[Guest]

Hello,

They have all been patched. I straightend that out straight away. That made
the issue go away, nut there must be something causing it. I have no control
over the fire wall. Admin is notavailable. It's checkpoint. As far as I
know if the session is initiated from the client it will pass any
communication. I tend to believe that we have somwhere an internal machine
(or external machine that has been brought in) that is trying to infect ours
or is scanning them, attacking them ... we've been checking for any malware
associated with 04-011 and 04-012 but we do not find a thing ... quiet worry
some. I hope to gain access to the firewall next week ...


Thx for your time.


"Lanwench [MVP - Exchange]"

 

[Lanwench [MVP - Exchange]]

Hello,

They have all been patched. I straightend that out straight away.
That made the issue go away, nut there must be something causing it.
I have no control over the fire wall. Admin is notavailable. It's
checkpoint. As far as I know if the session is initiated from the
client it will pass any communication. I tend to believe that we
have somwhere an internal machine (or external machine that has been
brought in) that is trying to infect ours or is scanning them,
attacking them ...

Very likely. Keep everyone patched all the time! Got SUS in place?

we've been checking for any malware associated
with 04-011 and 04-012 but we do not find a thing ... quiet worry
some. I hope to gain access to the firewall next week ...

You can try a scan to see what ports are open from the Internet - try
www.grc.com for one.

Thx for your time.


"Lanwench [MVP - Exchange]"

Patch them all with critical updates - this is a must.

What kind of firewall, and what inbound ports are open?

 

[Feng Mao]

Hi,

Thank you for posting!

First, I strongly agree with Lanwench that you must patch all clients with
all security updates. This can secure your network and all of the clients.

For the Sasser virus, as I know, Sasser virus has several variants, you may
download the tool from

http://www.microsoft.com/downloads/details.aspx?familyid=76c6de7e-1b6b-4fc3-
90d4-9fa42d14cc17&displaylang=en

to make it sure that no Sasser and its variants exists on your clients. On
the firewall side, if you are using Internet Security and Acceleration
Server from Microsoft, the below article might be helpful for you.

http://www.microsoft.com/isaserver/support/prevent/sasser.asp

Have a nice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| From: "Lanwench [MVP - Exchange]"
<[email protected]>
| References: <#[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Sasser Like behaviour
| Date: Wed, 4 Aug 2004 10:23:54 -0400
| Lines: 52
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.windowsxp.security_admin
| NNTP-Posting-Host: 66-108-253-239.nyc.rr.com 66.108.253.239
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
| Xref: cpmsftngxa10.phx.gbl
microsoft.public.windowsxp.security_admin:137167
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| (e-mail address removed) wrote:
| > Hello,
| >
| > They have all been patched. I straightend that out straight away.
| > That made the issue go away, nut there must be something causing it.
| > I have no control over the fire wall. Admin is notavailable. It's
| > checkpoint. As far as I know if the session is initiated from the
| > client it will pass any communication. I tend to believe that we
| > have somwhere an internal machine (or external machine that has been
| > brought in) that is trying to infect ours or is scanning them,
| > attacking them ...
|
| Very likely. Keep everyone patched all the time! Got SUS in place?
|
| > we've been checking for any malware associated
| > with 04-011 and 04-012 but we do not find a thing ... quiet worry
| > some. I hope to gain access to the firewall next week ...
|
| You can try a scan to see what ports are open from the Internet - try
| www.grc.com for one.
| >
| >
| > Thx for your time.
| >
| >
| > "Lanwench [MVP - Exchange]"
| > message | >> Patch them all with critical updates - this is a must.
| >>
| >> What kind of firewall, and what inbound ports are open?
| >>
| >>
| >> (e-mail address removed) wrote:
| >>> Hello,
| >>>
| >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
| >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
| >>> message etc....). No sasser or variants (bobax etc ...) found what
| >>> so ever with any tool or manually on any machine. Patching with
| >>> MS04-011 and higher has helped to remediate the problem. Since we
| >>> can not locate the origin of the problem (we don't find any worm)
| >>> what might be exploiting this vunerability. Any remote tools to
| >>> exploit the vunerability? Our one and only network admin, the only
| >>> one who has access to that level is away ... no firewall logs or
| >>> networkscans available ...
| >>>
| >>> Any info or pointers would be great,
| >>>
| >>> Thx
|
|
|

 

[Guest]

Hello there,

All machines are fully patched, SUS is inplace and working, testing SP2 RC2
for XP for our new roll out (planning to be a 99 % XP SP2 shop by October
2004)... awaiting eagerly WUS ... which looks very promissing.

I really would like to find the culprit, just to prove to upper management
I'm more than a nagging sysadmin. No tool is indicating any infection on
the machines we tested ... I hope to get the network guy in next week for
access to the firewall logs and some sniffing (I'm legally not allowed to
do it).

Thanks for your input (and you as well Feng Mao)

I'll post back any findings on the cause


"Lanwench [MVP - Exchange]"

Hello,

They have all been patched. I straightend that out straight away.
That made the issue go away, nut there must be something causing it.
I have no control over the fire wall. Admin is notavailable. It's
checkpoint. As far as I know if the session is initiated from the
client it will pass any communication. I tend to believe that we
have somwhere an internal machine (or external machine that has been
brought in) that is trying to infect ours or is scanning them,
attacking them ...

Very likely. Keep everyone patched all the time! Got SUS in place?

we've been checking for any malware associated
with 04-011 and 04-012 but we do not find a thing ... quiet worry
some. I hope to gain access to the firewall next week ...

You can try a scan to see what ports are open from the Internet - try
www.grc.com for one.

Thx for your time.


"Lanwench [MVP - Exchange]"

Patch them all with critical updates - this is a must.

What kind of firewall, and what inbound ports are open?


(e-mail address removed) wrote:
Hello,

All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
onwards show the sasser symptoms since 02/08/2004 (same shutdown
message etc....). No sasser or variants (bobax etc ...) found what
so ever with any tool or manually on any machine. Patching with
MS04-011 and higher has helped to remediate the problem. Since we
can not locate the origin of the problem (we don't find any worm)
what might be exploiting this vunerability. Any remote tools to
exploit the vunerability? Our one and only network admin, the only
one who has access to that level is away ... no firewall logs or
networkscans available ...

Any info or pointers would be great,

Thx

 

[Feng Mao]

Hi,

Personally think that it will be better to convince the upper management
that the clients which are applied the security update will not be affected
by the virus any more.

As no virus can be found in the clients in your network, possibly it comes
out of firewall. Feel free to post back if there is any findings.

Have anice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| From: <[email protected]>
| References: <#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Sasser Like behaviour
| Date: Wed, 4 Aug 2004 20:58:22 +0200
| Lines: 74
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <Ou7#[email protected]>
| Newsgroups: microsoft.public.windowsxp.security_admin
| NNTP-Posting-Host: u212-239-159-43.adsl.scarlet.be 212.239.159.43
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.security_admin:137694
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Hello there,
|
| All machines are fully patched, SUS is inplace and working, testing SP2
RC2
| for XP for our new roll out (planning to be a 99 % XP SP2 shop by October
| 2004)... awaiting eagerly WUS ... which looks very promissing.
|
| I really would like to find the culprit, just to prove to upper management
| I'm more than a nagging sysadmin. No tool is indicating any infection on
| the machines we tested ... I hope to get the network guy in next week for
| access to the firewall logs and some sniffing (I'm legally not allowed to
| do it).
|
| Thanks for your input (and you as well Feng Mao)
|
| I'll post back any findings on the cause
|
|
| "Lanwench [MVP - Exchange]"
message
| | > (e-mail address removed) wrote:
| > > Hello,
| > >
| > > They have all been patched. I straightend that out straight away.
| > > That made the issue go away, nut there must be something causing it.
| > > I have no control over the fire wall. Admin is notavailable. It's
| > > checkpoint. As far as I know if the session is initiated from the
| > > client it will pass any communication. I tend to believe that we
| > > have somwhere an internal machine (or external machine that has been
| > > brought in) that is trying to infect ours or is scanning them,
| > > attacking them ...
| >
| > Very likely. Keep everyone patched all the time! Got SUS in place?
| >
| > > we've been checking for any malware associated
| > > with 04-011 and 04-012 but we do not find a thing ... quiet worry
| > > some. I hope to gain access to the firewall next week ...
| >
| > You can try a scan to see what ports are open from the Internet - try
| > www.grc.com for one.
| > >
| > >
| > > Thx for your time.
| > >
| > >
| > > "Lanwench [MVP - Exchange]"
| > > message | > >> Patch them all with critical updates - this is a must.
| > >>
| > >> What kind of firewall, and what inbound ports are open?
| > >>
| > >>
| > >> (e-mail address removed) wrote:
| > >>> Hello,
| > >>>
| > >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
| > >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
| > >>> message etc....). No sasser or variants (bobax etc ...) found what
| > >>> so ever with any tool or manually on any machine. Patching with
| > >>> MS04-011 and higher has helped to remediate the problem. Since we
| > >>> can not locate the origin of the problem (we don't find any worm)
| > >>> what might be exploiting this vunerability. Any remote tools to
| > >>> exploit the vunerability? Our one and only network admin, the only
| > >>> one who has access to that level is away ... no firewall logs or
| > >>> networkscans available ...
| > >>>
| > >>> Any info or pointers would be great,
| > >>>
| > >>> Thx
| >
| >
|
|
|

 

[Juan]

If patching with the recent critical updates has helped, the source of the
problem is most likely from the internet...

The Sasser virus can be seen in the Security tab as a set of codes that take
ownership of the computer... if an account with the capability to take
ownership
is available this can be the way to remove the Sasser if you find it is
present.
To make sure the Sasser virus is/not present, scan in the following
Microsoft page..
http://www.microsoft.com/security/incident/sasser.mspx

In the Windows Explorer go to "Tools", "Folder Options". Click on the
"View"
tab and scroll down to the bottom of the "Advanced Settings" box. You'll
see an option
called "Use Simple File Share (Recommended), and uncheck it. Now, go to the
C:\drive Properties\Security\ensure that you have administrative rights on
the drive.
If you don't have them, then take control and add yourself to the
permissions dialog with
"Full Control" if not posible try to take Ownership of the drive.. an
administrative account
may be needed for this purpose...
HOW TO: Take Ownership of Files and Folders.
http://support.microsoft.com/default.aspx?scid=kb;en-us;308421&Product=winxp

If the Sasser is not found, a hackers exploit tool could be in the system,
running
spyware programs will remove it....

Spybot Search and Destroy (Free!)
http://www.safer-networking.net/

Lavasoft AdAware (Free and up)
http://www.lavasoft.de

CWSShredder (Free!)
http://www.spywareinfo.com/~merijn/downloads.html

Hijack This! (Free)
http://mjc1.com/mirror/hjt/
( Tutorial: http://www.spywareinfo.com/~merijn/htlogtutorial.html )

SpywareBlaster (Free!)
http://www.javacoolsoftware.com/

The Cleaner (49.95 and up)
http://www.moosoft.com/

If you have a local administrator account available, it may be posible
to use it and change the network admin password to have access to
the firewall logs and network scans.... If this is not posible a standard
user (not limited) usually has the capability to install programs,
install a third party firewall which can indicate where the problem
originates.

To locate the origin of the problem install a third party firewall, it will
indicate
where the problem originates.

ZoneAlarm (Free)
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp

Kerio Personal Firewall (KPF) (Free)
http://www.kerio.com/kpf_download.html

Outpost Firewall from Agnitum (Free)
http://www.agnitum.com/download/

Sygate Personal Firewall (Free)
http://smb.sygate.com/buy/download_buy.htm


------------Original Message--------------

 

[Guest]

Hello,

We have found the culprit. External Sales Rep with a contaminated laptop:
Korgo.g worm ... (6251 files infected!)

Thx for your input.

Hi,

Personally think that it will be better to convince the upper management
that the clients which are applied the security update will not be
affected
by the virus any more.

As no virus can be found in the clients in your network, possibly it comes
out of firewall. Feel free to post back if there is any findings.

Have anice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.



--------------------
| From: <[email protected]>
| References: <#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
| Subject: Re: Sasser Like behaviour
| Date: Wed, 4 Aug 2004 20:58:22 +0200
| Lines: 74
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| Message-ID: <Ou7#[email protected]>
| Newsgroups: microsoft.public.windowsxp.security_admin
| NNTP-Posting-Host: u212-239-159-43.adsl.scarlet.be 212.239.159.43
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.security_admin:137694
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Hello there,
|
| All machines are fully patched, SUS is inplace and working, testing SP2
RC2
| for XP for our new roll out (planning to be a 99 % XP SP2 shop by
October
| 2004)... awaiting eagerly WUS ... which looks very promissing.
|
| I really would like to find the culprit, just to prove to upper
management
| I'm more than a nagging sysadmin. No tool is indicating any infection
on
| the machines we tested ... I hope to get the network guy in next week
for
| access to the firewall logs and some sniffing (I'm legally not allowed
to
| do it).
|
| Thanks for your input (and you as well Feng Mao)
|
| I'll post back any findings on the cause
|
|
| "Lanwench [MVP - Exchange]"
message
| | > (e-mail address removed) wrote:
| > > Hello,
| > >
| > > They have all been patched. I straightend that out straight away.
| > > That made the issue go away, nut there must be something causing it.
| > > I have no control over the fire wall. Admin is notavailable. It's
| > > checkpoint. As far as I know if the session is initiated from the
| > > client it will pass any communication. I tend to believe that we
| > > have somwhere an internal machine (or external machine that has been
| > > brought in) that is trying to infect ours or is scanning them,
| > > attacking them ...
| >
| > Very likely. Keep everyone patched all the time! Got SUS in place?
| >
| > > we've been checking for any malware associated
| > > with 04-011 and 04-012 but we do not find a thing ... quiet worry
| > > some. I hope to gain access to the firewall next week ...
| >
| > You can try a scan to see what ports are open from the Internet - try
| > www.grc.com for one.
| > >
| > >
| > > Thx for your time.
| > >
| > >
| > > "Lanwench [MVP - Exchange]"
| > > message | > >> Patch them all with critical updates - this is a must.
| > >>
| > >> What kind of firewall, and what inbound ports are open?
| > >>
| > >>
| > >> (e-mail address removed) wrote:
| > >>> Hello,
| > >>>
| > >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
| > >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
| > >>> message etc....). No sasser or variants (bobax etc ...) found what
| > >>> so ever with any tool or manually on any machine. Patching with
| > >>> MS04-011 and higher has helped to remediate the problem. Since we
| > >>> can not locate the origin of the problem (we don't find any worm)
| > >>> what might be exploiting this vunerability. Any remote tools to
| > >>> exploit the vunerability? Our one and only network admin, the only
| > >>> one who has access to that level is away ... no firewall logs or
| > >>> networkscans available ...
| > >>>
| > >>> Any info or pointers would be great,
| > >>>
| > >>> Thx
| >
| >
|
|
|

 

[Feng Mao]

Hi,

I am glad to hear that you have figured out the culprit. Feel free to post
your question in the future.

Have a nice day!

Thanks & Regards,

Feng Mao [MSFT], MCSE
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.



--------------------
| From: <[email protected]>
| References: <#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<Ou7#[email protected]>
<[email protected]>
| Subject: Re: Sasser Like behaviour
| Date: Thu, 12 Aug 2004 20:59:23 +0200
| Lines: 144
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.windowsxp.security_admin
| NNTP-Posting-Host: u81-11-141-12.adsl.scarlet.be 81.11.141.12
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.security_admin:138831
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Hello,
|
| We have found the culprit. External Sales Rep with a contaminated
laptop:
| Korgo.g worm ... (6251 files infected!)
|
| Thx for your input.
|
|
| | > Hi,
| >
| > Personally think that it will be better to convince the upper management
| > that the clients which are applied the security update will not be
| > affected
| > by the virus any more.
| >
| > As no virus can be found in the clients in your network, possibly it
comes
| > out of firewall. Feel free to post back if there is any findings.
| >
| > Have anice day!
| >
| > Thanks & Regards,
| >
| > Feng Mao [MSFT], MCSE
| > Microsoft Online Partner Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| > --------------------
| > | From: <[email protected]>
| > | References: <#[email protected]>
| > <[email protected]>
| > <[email protected]>
| > <[email protected]>
| > | Subject: Re: Sasser Like behaviour
| > | Date: Wed, 4 Aug 2004 20:58:22 +0200
| > | Lines: 74
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| > | Message-ID: <Ou7#[email protected]>
| > | Newsgroups: microsoft.public.windowsxp.security_admin
| > | NNTP-Posting-Host: u212-239-159-43.adsl.scarlet.be 212.239.159.43
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| > microsoft.public.windowsxp.security_admin:137694
| > | X-Tomcat-NG: microsoft.public.windowsxp.security_admin
| > |
| > | Hello there,
| > |
| > | All machines are fully patched, SUS is inplace and working, testing
SP2
| > RC2
| > | for XP for our new roll out (planning to be a 99 % XP SP2 shop by
| > October
| > | 2004)... awaiting eagerly WUS ... which looks very promissing.
| > |
| > | I really would like to find the culprit, just to prove to upper
| > management
| > | I'm more than a nagging sysadmin. No tool is indicating any
infection
| > on
| > | the machines we tested ... I hope to get the network guy in next week
| > for
| > | access to the firewall logs and some sniffing (I'm legally not
allowed
| > to
| > | do it).
| > |
| > | Thanks for your input (and you as well Feng Mao)
| > |
| > | I'll post back any findings on the cause
| > |
| > |
| > | "Lanwench [MVP - Exchange]"
| > message
| > | | > | > (e-mail address removed) wrote:
| > | > > Hello,
| > | > >
| > | > > They have all been patched. I straightend that out straight away.
| > | > > That made the issue go away, nut there must be something causing
it.
| > | > > I have no control over the fire wall. Admin is notavailable.
It's
| > | > > checkpoint. As far as I know if the session is initiated from the
| > | > > client it will pass any communication. I tend to believe that we
| > | > > have somwhere an internal machine (or external machine that has
been
| > | > > brought in) that is trying to infect ours or is scanning them,
| > | > > attacking them ...
| > | >
| > | > Very likely. Keep everyone patched all the time! Got SUS in place?
| > | >
| > | > > we've been checking for any malware associated
| > | > > with 04-011 and 04-012 but we do not find a thing ... quiet worry
| > | > > some. I hope to gain access to the firewall next week ...
| > | >
| > | > You can try a scan to see what ports are open from the Internet -
try
| > | > www.grc.com for one.
| > | > >
| > | > >
| > | > > Thx for your time.
| > | > >
| > | > >
| > | > > "Lanwench [MVP - Exchange]"
in
| > | > > message | > | > >> Patch them all with critical updates - this is a must.
| > | > >>
| > | > >> What kind of firewall, and what inbound ports are open?
| > | > >>
| > | > >>
| > | > >> (e-mail address removed) wrote:
| > | > >>> Hello,
| > | > >>>
| > | > >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
| > | > >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
| > | > >>> message etc....). No sasser or variants (bobax etc ...) found
what
| > | > >>> so ever with any tool or manually on any machine. Patching with
| > | > >>> MS04-011 and higher has helped to remediate the problem. Since
we
| > | > >>> can not locate the origin of the problem (we don't find any
worm)
| > | > >>> what might be exploiting this vunerability. Any remote tools to
| > | > >>> exploit the vunerability? Our one and only network admin, the
only
| > | > >>> one who has access to that level is away ... no firewall logs or
| > | > >>> networkscans available ...
| > | > >>>
| > | > >>> Any info or pointers would be great,
| > | > >>>
| > | > >>> Thx
| > | >
| > | >
| > |
| > |
| > |
| >
|
|
|