[70127] in North American Network Operators' Group
Re: Lsass.exe causing shutdown in IE.
daemon@ATHENA.MIT.EDU (Jeff Workman)
Sat May 1 17:06:58 2004
Date: Sat, 01 May 2004 17:05:41 -0400
From: Jeff Workman <jworkman@pimpworks.org>
To: Henry Yen <henry@AegisInfoSys.com>,
Ejay Hire <ejay.hire@isdn.net>, nanog@merit.edu
In-Reply-To: <20040501161854.A25428@AegisInfoSys.com>
Errors-To: owner-nanog-outgoing@merit.edu
--On Saturday, May 01, 2004 4:18 PM -0400 Henry Yen
<henry@AegisInfoSys.com> wrote:
>
> On Sat, May 01, 2004 at 03:09:12AM -0500, Ejay Hire wrote:
>> We're starting to take calls from users about an LSASS.EXE error causing
>> XP to do the 60 seconds till forced reboot, and the normal blaster
>> mitigation and turning on the ICF isn't fixing it. I've been able to
>> reproduce it on one machine locally. Is anyone else seeing it?
>
> Sasser (windows) worm.
>
> http://isc.sans.org/diary.php?date=2004-04-30
This affects Win2k too. I had to deal with it earlier today. It was my
experience that after the machine rebooted a few times it would stay up and
allow you to remove the offending files and processes, and apply the
appropriate patches.
What I like about this worm is that it's extremely easy to identify hosts
on your network that are infected. Just run an nmap scan of your network
and look for hosts with TCP port 5554 open.
-J
--
Jeff Workman | jworkman@pimpworks.org | http://www.pimpworks.org
