Hi,
I am glad to hear that you have figured out the culprit. Feel free to post
your question in the future.
Have a nice day!
Thanks & Regards,
Feng Mao [MSFT], MCSE
Microsoft Online Partner Support
Get Secure! -
www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: <
[email protected]>
| References: <#
[email protected]>
<
[email protected]>
<
[email protected]>
<
[email protected]>
<Ou7#
[email protected]>
<
[email protected]>
| Subject: Re: Sasser Like behaviour
| Date: Thu, 12 Aug 2004 20:59:23 +0200
| Lines: 144
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
| X-RFC2646: Format=Flowed; Original
| Message-ID: <
[email protected]>
| Newsgroups: microsoft.public.windowsxp.security_admin
| NNTP-Posting-Host: u81-11-141-12.adsl.scarlet.be 81.11.141.12
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| Xref: cpmsftngxa06.phx.gbl
microsoft.public.windowsxp.security_admin:138831
| X-Tomcat-NG: microsoft.public.windowsxp.security_admin
|
| Hello,
|
| We have found the culprit. External Sales Rep with a contaminated
laptop:
| Korgo.g worm ... (6251 files infected!)
|
| Thx for your input.
|
|
| | > Hi,
| >
| > Personally think that it will be better to convince the upper management
| > that the clients which are applied the security update will not be
| > affected
| > by the virus any more.
| >
| > As no virus can be found in the clients in your network, possibly it
comes
| > out of firewall. Feel free to post back if there is any findings.
| >
| > Have anice day!
| >
| > Thanks & Regards,
| >
| > Feng Mao [MSFT], MCSE
| > Microsoft Online Partner Support
| >
| > Get Secure! -
www.microsoft.com/security
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > =====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| > --------------------
| > | From: <
[email protected]>
| > | References: <#
[email protected]>
| > <
[email protected]>
| > <
[email protected]>
| > <
[email protected]>
| > | Subject: Re: Sasser Like behaviour
| > | Date: Wed, 4 Aug 2004 20:58:22 +0200
| > | Lines: 74
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
| > | Message-ID: <Ou7#
[email protected]>
| > | Newsgroups: microsoft.public.windowsxp.security_admin
| > | NNTP-Posting-Host: u212-239-159-43.adsl.scarlet.be 212.239.159.43
| > | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: cpmsftngxa06.phx.gbl
| > microsoft.public.windowsxp.security_admin:137694
| > | X-Tomcat-NG: microsoft.public.windowsxp.security_admin
| > |
| > | Hello there,
| > |
| > | All machines are fully patched, SUS is inplace and working, testing
SP2
| > RC2
| > | for XP for our new roll out (planning to be a 99 % XP SP2 shop by
| > October
| > | 2004)... awaiting eagerly WUS ... which looks very promissing.
| > |
| > | I really would like to find the culprit, just to prove to upper
| > management
| > | I'm more than a nagging sysadmin. No tool is indicating any
infection
| > on
| > | the machines we tested ... I hope to get the network guy in next week
| > for
| > | access to the firewall logs and some sniffing (I'm legally not
allowed
| > to
| > | do it).
| > |
| > | Thanks for your input (and you as well Feng Mao)
| > |
| > | I'll post back any findings on the cause
| > |
| > |
| > | "Lanwench [MVP - Exchange]"
| > message
| > | | > | > (e-mail address removed) wrote:
| > | > > Hello,
| > | > >
| > | > > They have all been patched. I straightend that out straight away.
| > | > > That made the issue go away, nut there must be something causing
it.
| > | > > I have no control over the fire wall. Admin is notavailable.
It's
| > | > > checkpoint. As far as I know if the session is initiated from the
| > | > > client it will pass any communication. I tend to believe that we
| > | > > have somwhere an internal machine (or external machine that has
been
| > | > > brought in) that is trying to infect ours or is scanning them,
| > | > > attacking them ...
| > | >
| > | > Very likely. Keep everyone patched all the time! Got SUS in place?
| > | >
| > | > > we've been checking for any malware associated
| > | > > with 04-011 and 04-012 but we do not find a thing ... quiet worry
| > | > > some. I hope to gain access to the firewall next week ...
| > | >
| > | > You can try a scan to see what ports are open from the Internet -
try
| > | >
www.grc.com for one.
| > | > >
| > | > >
| > | > > Thx for your time.
| > | > >
| > | > >
| > | > > "Lanwench [MVP - Exchange]"
in
| > | > > message | > | > >> Patch them all with critical updates - this is a must.
| > | > >>
| > | > >> What kind of firewall, and what inbound ports are open?
| > | > >>
| > | > >>
| > | > >> (e-mail address removed) wrote:
| > | > >>> Hello,
| > | > >>>
| > | > >>> All PC's (XP SP1 an Windows 2000) not patched with MS04-011 and
| > | > >>> onwards show the sasser symptoms since 02/08/2004 (same shutdown
| > | > >>> message etc....). No sasser or variants (bobax etc ...) found
what
| > | > >>> so ever with any tool or manually on any machine. Patching with
| > | > >>> MS04-011 and higher has helped to remediate the problem. Since
we
| > | > >>> can not locate the origin of the problem (we don't find any
worm)
| > | > >>> what might be exploiting this vunerability. Any remote tools to
| > | > >>> exploit the vunerability? Our one and only network admin, the
only
| > | > >>> one who has access to that level is away ... no firewall logs or
| > | > >>> networkscans available ...
| > | > >>>
| > | > >>> Any info or pointers would be great,
| > | > >>>
| > | > >>> Thx
| > | >
| > | >
| > |
| > |
| > |
| >
|
|
|