Date: Sat, 1 May 2004 14:58:40 -0700 (PDT) From: Henry Linneweh <hrlinneweh@sbcglobal.net> To: Todd Mitchell - lists <lists@ciphin.com>, 'Ejay Hire' <ejay.hire@isdn.net>, nanog@merit.edu Subject: RE: Lsass.exe causing shutdown in IE.

McAfee's Stinger takes care of this, or at least supposedly does. http://vil.nai.com/vil/stinger maybe some of you guys on the ISP sides can place a copy in a public ftp for your users. What I've noticed from looking at a few people who were infected with it is, IE and OE gets toasted with OE returning the 0x800ccc15 which on XP has to deal with a bad McAfee install, and or timeouts. Now, I had this one person I was on the phone with who had this error but was still open to ping via DOS prompts and actually resolve out, and have information returned to him. For a quick fix without having to reinstall I had him do a system restore to a few weeks back, then reconnect and download stinger, voila, fixed. Currently running NMAP on the company's /18 to figure see if we can notify users of this issue. Below is output of the session with addresses stripped sil@mvi:~> ping 216.x.x.x PING 216.x.x.x (216.x.x.x): 56 data bytes 64 bytes from 216.x.x.x: icmp_seq=0 ttl=251 time=6.351 ms 64 bytes from 216.x.x.x: icmp_seq=1 ttl=251 time=17.575 ms 64 bytes from 216.x.x.x: icmp_seq=2 ttl=251 time=15.147 ms 64 bytes from 216.x.x.x: icmp_seq=3 ttl=251 time=23.916 ms 64 bytes from 216.x.x.x: icmp_seq=4 ttl=251 time=6.343 ms 64 bytes from 216.x.x.x: icmp_seq=5 ttl=251 time=8.788 ms 64 bytes from 216.x.x.x: icmp_seq=6 ttl=251 time=15.620 ms ^C --- x.x.x.x ping statistics --- 7 packets transmitted, 7 packets received, 0% packet loss round-trip min/avg/max/stddev = 6.343/13.391/23.916/6.056 ms ------------------------------------------------------ xxxxxxx is currently connected to 216.x.x.x ------------------------------------------------------ SessionID: 433419007 Svc: PPP Line/Chan: 1:13:42/000 Slot:Item: 1.03.06/008 Tx/Rx Rate: 45333/31200 IP Address: 216.x.x.x ConnTime: 0:27:55 IdleTime: 0:00:00 Dialed#: 914XXXXXXX Calling#: 914XXXXXXX ------------------------------------------------------ sil@mvi:~> telnet x.x.x.x 5554 Trying 216.x.x.x... Connected to dialin-522-tnt.xxxx.xxxx Escape character is '^]'. 220 OK ^] =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo GPG Key ID 0x51F9D78D Fingerprint 2A48 BA18 1851 4C99 CA22 0619 DB63 F2F7 51F9 D78D http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D sil @ politrix . org http://www.politrix.org sil @ infiltrated . net http://www.infiltrated.net 'Men have been taught that it is a virtue to agree with others. But the creator is the man who disagrees. Men have been taught that it is a virtue to swim with the current. But the creator is the man who goes against the current. Men have been taught that it is a virtue to stand together. But the creator is the man who stands alone.' -- Ayn Rand"