G
Guest
The application, C:\WINDOWS\system32\lsass.exe, generated an application error The error occurred on 05/03/2004 @ 10:50:46.755 The exception generated was c0000005 at address 00900090 ()
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
The application, C:\WINDOWS\system32\lsass.exe, generated an application error The error occurred on
P
PA Bear
[My turn!]
What You Should Know About the Sasser Worm and Its Variants
http://www.microsoft.com/security/incident/sasser.asp
Instructions for patching and cleaning vulnerable Windows 2000 and Windows
XP systems:
Vulnerable Windows 2000 and Windows XP machines may have the LSASS.EXE
process crash every time a malicious worm packet targets the vulnerable
machine which can occur very shortly after the machine starts up and
initializes the network stack.
When cleaning a machine that is vulnerable to the Sasser worm it is
necessary to first prevent the LSASS.EXE process from crashing, which in
turn causes the machine to reboot after a 60 second delay. This reboot
cannot be aborted on Windows 2000 platforms using the Shutdown.exe or
psshutdown.exe utilities and can interfere with the downloading and
installation of the patch as well as removal of the worm.
1) To prevent LSASS.EXE from shutting down the machine during the cleaning
process:
a. Unplug the network cable from the machine
b. If you are running Windows XP you can enable the built-in Internet
Connection Firewall using the instructions found here: Windows XP
http://support.microsoft.com/?id=283673 and then plug the machine back into
the network and go to step 2.
c. If you are running Windows 2000, you won't have a built-in firewall and
must use the following work-around to prevent LSASS.EXE from crashing. This
workaround involves creating a read-only file named 'dcpromo.log' in the
"%systemroot%\debug" directory. Creating this read-only file will prevent
the vulnerability used by this worm from crashing the LSASS.EXE process. i.
NOTE: %systemroot% is the variable that contains the name of the Windows
installation directory. For example if Windows was installed to the
"c:\winnt" directory the following command will create a file called
dcpromo.log in the c:\winnt\debug directory. The following commands must be
typed in a command prompt (i.e. cmd.exe) exactly as they are written below.
1. To start a command shell, click Start and then click run and type
'cmd.exe' and press enter.
2.Type the following command: echo dcpromo >%systemroot%\debug\dcpromo.log
For this workaround to work properly you MUST make the file read-only by
typing the following command:
3. attrib +R %systemroot%\debug\dcpromo.log
2) After enabling the Internet Connection Firewall or creating the read-only
dcpromo.log you can plug the network cable back in and you must download and
install the MS04-011 patch from the MS04-011 download link for the affected
machines operating system before cleaning the system. If the system is
cleaned before the patch is installed it is possible that the system could
get re-infected prior to installing the patch.
a. Here is the URL for the bulletin which contains the links to the download
location for each patch:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
b. If your machine is acting sluggish or your Internet connection is slow
you should use Task Manager to kill the following processes and then try
downloading the patch again (press the Ctrl + Alt + Del keys simultaneously
and select Task Manager):
i. Kill any process ending with '_up.exe' (i.e. 12345_up.exe)
ii. Kill any process starting with 'avserv' (i.e. avserve.exe,
avserve2.exe)
iii. Kill any process starting with 'skynetave' (i.e. skynetave.exe)
iv. Kill hkey.exe
v. Kill msiwin84.exe
vi. Kill wmiprvsw.exe
[Note there is a legitimate system process called 'wmiprvse.exe' that does
NOT need to be killed.]
c. allow the system to reboot after the patch is installed.
3) Run the Sasser cleaner tool from the following URL:
a. For the on-line ActiveX control based version of the cleaner you can run
it directly from the following URL:
http://www.microsoft.com/security/incident/sasser.asp
b. For the stand-alone download version of the cleaner you can download it
from the following URL:
http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-
90D4-9FA42D14CC17&displaylang=en
4) Determine if the machine has been infected with a variant of the Agobot
worm which can also get on the machine using the same method as the Sasser
worm.
a. To do this run a full antivirus scan of your machine after ensuring your
antivirus signatures are up to date.
b. If you do NOT have an antivirus product installed you can visit HouseCall
from TrendMicro to perform a free scan using the following URL:
http://housecall.trendmicro.com/
If you have any questions regarding the security updates or its
implementation after reading the above listed bulletin you should contact
Product Support Services in the United States at 1-866-PCSafety
(1-866-727-2338). International customers should contact their local
subsidiary.
--
HTH - Please Reply to This Thread
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP
AumHa Forums
http://forum.aumha.org
Protect Your PC
http://www.microsoft.com/security/protect
What You Should Know About the Sasser Worm and Its Variants
http://www.microsoft.com/security/incident/sasser.asp
Instructions for patching and cleaning vulnerable Windows 2000 and Windows
XP systems:
Vulnerable Windows 2000 and Windows XP machines may have the LSASS.EXE
process crash every time a malicious worm packet targets the vulnerable
machine which can occur very shortly after the machine starts up and
initializes the network stack.
When cleaning a machine that is vulnerable to the Sasser worm it is
necessary to first prevent the LSASS.EXE process from crashing, which in
turn causes the machine to reboot after a 60 second delay. This reboot
cannot be aborted on Windows 2000 platforms using the Shutdown.exe or
psshutdown.exe utilities and can interfere with the downloading and
installation of the patch as well as removal of the worm.
1) To prevent LSASS.EXE from shutting down the machine during the cleaning
process:
a. Unplug the network cable from the machine
b. If you are running Windows XP you can enable the built-in Internet
Connection Firewall using the instructions found here: Windows XP
http://support.microsoft.com/?id=283673 and then plug the machine back into
the network and go to step 2.
c. If you are running Windows 2000, you won't have a built-in firewall and
must use the following work-around to prevent LSASS.EXE from crashing. This
workaround involves creating a read-only file named 'dcpromo.log' in the
"%systemroot%\debug" directory. Creating this read-only file will prevent
the vulnerability used by this worm from crashing the LSASS.EXE process. i.
NOTE: %systemroot% is the variable that contains the name of the Windows
installation directory. For example if Windows was installed to the
"c:\winnt" directory the following command will create a file called
dcpromo.log in the c:\winnt\debug directory. The following commands must be
typed in a command prompt (i.e. cmd.exe) exactly as they are written below.
1. To start a command shell, click Start and then click run and type
'cmd.exe' and press enter.
2.Type the following command: echo dcpromo >%systemroot%\debug\dcpromo.log
For this workaround to work properly you MUST make the file read-only by
typing the following command:
3. attrib +R %systemroot%\debug\dcpromo.log
2) After enabling the Internet Connection Firewall or creating the read-only
dcpromo.log you can plug the network cable back in and you must download and
install the MS04-011 patch from the MS04-011 download link for the affected
machines operating system before cleaning the system. If the system is
cleaned before the patch is installed it is possible that the system could
get re-infected prior to installing the patch.
a. Here is the URL for the bulletin which contains the links to the download
location for each patch:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
b. If your machine is acting sluggish or your Internet connection is slow
you should use Task Manager to kill the following processes and then try
downloading the patch again (press the Ctrl + Alt + Del keys simultaneously
and select Task Manager):
i. Kill any process ending with '_up.exe' (i.e. 12345_up.exe)
ii. Kill any process starting with 'avserv' (i.e. avserve.exe,
avserve2.exe)
iii. Kill any process starting with 'skynetave' (i.e. skynetave.exe)
iv. Kill hkey.exe
v. Kill msiwin84.exe
vi. Kill wmiprvsw.exe
[Note there is a legitimate system process called 'wmiprvse.exe' that does
NOT need to be killed.]
c. allow the system to reboot after the patch is installed.
3) Run the Sasser cleaner tool from the following URL:
a. For the on-line ActiveX control based version of the cleaner you can run
it directly from the following URL:
http://www.microsoft.com/security/incident/sasser.asp
b. For the stand-alone download version of the cleaner you can download it
from the following URL:
http://www.microsoft.com/downloads/details.aspx?FamilyId=76C6DE7E-1B6B-4FC3-
90D4-9FA42D14CC17&displaylang=en
4) Determine if the machine has been infected with a variant of the Agobot
worm which can also get on the machine using the same method as the Sasser
worm.
a. To do this run a full antivirus scan of your machine after ensuring your
antivirus signatures are up to date.
b. If you do NOT have an antivirus product installed you can visit HouseCall
from TrendMicro to perform a free scan using the following URL:
http://housecall.trendmicro.com/
If you have any questions regarding the security updates or its
implementation after reading the above listed bulletin you should contact
Product Support Services in the United States at 1-866-PCSafety
(1-866-727-2338). International customers should contact their local
subsidiary.
--
HTH - Please Reply to This Thread
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE), AH-VSOP
AumHa Forums
http://forum.aumha.org
Protect Your PC
http://www.microsoft.com/security/protect
B
Bruce Chambers
Greetings --
You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.
To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.
What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp
Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720
W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/
Bruce Chambers
--
Help us help you:
You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
You've apparently contracted the latest worm, W32.Sasser.Worm,
specifically designed to attack people who do not update their
computers promptly and who do not practice "safe hex." In other
words, like Blaster, this worm was developed and distributed _after_ a
patch for the vulnerability was announced and made publicly available.
Further, and also like Blaster, this worm could not affect any
computer whose user had taken the basic precaution of using a properly
configured firewall.
To stay on-line long enough to get the necessary updates, patches,
and removal tools, click Start > Run, and enter "shutdown -a" when the
next RPC countdown begins. This will abort the shut down. Also, make
sure you've enabled a firewall before starting, to preclude any more
intrusions while getting the updates/patches/tools.
What You should Know about the Sasser Worm and its Variants
http://www.microsoft.com/security/incident/sasser.asp
Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
W32.Sasser.Worm
http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html
A tool is available to remove the Sasser worm variants
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720
W32.Sasser.Worm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html
McAfee AVert Stinger Virus Removal Tool
http://vil.nai.com/vil/stinger/
Bruce Chambers
--
Help us help you:
You can have peace. Or you can have freedom. Don't ever count on
having both at once. -- RAH
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.