Did you ensure that the machine was already updated with the Critical Security Patches?
Lee
Lee Duynslager
Information Technologist
Integrated Plant Systems
Michigan State University
(517) 432-5296
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On Behalf Of Gene Willacker
Sent: Monday, May 03, 2004 10:21 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Possible Sasser worm variants?
We are also seeing this, and the Symantec tool is not detecting on our PCs either. The error message we see says, in part, "LSASS.exe termintaed with code 128."
Gene
On 5/3/2004 11:09 AM, Cameron Ramo Williams wrote:
Hello fellow NAGers
I was wondering if anyone here has found evidence of new Sasser worm
variants on campus PCs? We have a couple PCs that exhibit the random
reboots that make me suspect they have been infected with the Sasser worm,
but the removal tools I downloaded from Symantec have been run repeatedly on
these PCs in safe mode and have not found any evidence of Sasser. According
to Symantec, the removal tools cover the initial Sasser worm and variants B
and C. I just wondered if anyone else has found evidence of Sasser but have
been unable to get a removal tool to detect it's presence? I surmise it is
some new variant that the removal tool is not able to locate and remove.
Any others with this experience today?
Thanks!
Cameron Williams
---
_______________________________________
Cameron R. Williams
Information Technologist
Center for Global Change and Earth Observations
Michigan State University
101 Manly Miles
East Lansing, MI 48825
(517) 432-4675
[log in to unmask]
--
Gene Willacker
Systems Analyst
H&FS Systems Operations Group
Michigan State University
Food Stores Building
East Lansing, MI 48824
1-517-353-1691
This message has been sanitized - it may have been altered to improve security, as described below.
Sanitizer (start="1083597814"):
Part (pos="2195"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (names="unnamed.txt", rule="2"):
Enforced policy: accept
Part (pos="3790"):
SanitizeFile (filename="unnamed.html", mimetype="text/html"):
Match (rule="default"):
Enforced policy: accept
Note: Styles and layers give attackers many tools to fool the
user and common browsers interpret Javascript code found
within style definitions. References:
- http://www.securityfocus.com/bid/630
- http://archives.indenial.com/hypermail/bugtraq/2001/January2001/0512.html
Rewrote HTML tag: >>_div class="moz-signature"_<<
as: >>_p__MODIFIED_div class="moz-signature"_<<
Rewrote HTML tag: >>_/div_<<
as: >>_/p__MODIFIED_div_<<
Total modifications so far: 2
See http://help.msu.edu/mail/sanitizer.html for more information.