Lsass.exe causing shutdown in IE.

Hi all. We're starting to take calls from users about an LSASS.EXE error causing XP to do the 60 seconds till forced reboot, and the normal blaster mitigation and turning on the ICF isn't fixing it. I've been able to reproduce it on one machine locally. Is anyone else seeing it? -Ejay

Ejay, I've seen this for about 36 hours but I haven't been involved in the resolution process. Let me know what you find. Regards, Christopher J. Wolff, VP CIO Broadband Laboratories, Inc. http://www.bblabs.com
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Ejay Hire Sent: Saturday, May 01, 2004 1:09 PM To: nanog@merit.edu Subject: Lsass.exe causing shutdown in IE.
Hi all.
We're starting to take calls from users about an LSASS.EXE error causing XP to do the 60 seconds till forced reboot, and the normal blaster mitigation and turning on the ICF isn't fixing it. I've been able to reproduce it on one machine locally. Is anyone else seeing it?
-Ejay

On Sat, May 01, 2004 at 03:09:12AM -0500, Ejay Hire wrote:
We're starting to take calls from users about an LSASS.EXE error causing XP to do the 60 seconds till forced reboot, and the normal blaster mitigation and turning on the ICF isn't fixing it. I've been able to reproduce it on one machine locally. Is anyone else seeing it?
Sasser (windows) worm. http://isc.sans.org/diary.php?date=2004-04-30 -- Henry Yen Aegis Information Systems, Inc. Senior Systems Programmer Hicksville, New York

--On Saturday, May 01, 2004 4:18 PM -0400 Henry Yen <henry@AegisInfoSys.com> wrote:
On Sat, May 01, 2004 at 03:09:12AM -0500, Ejay Hire wrote:
We're starting to take calls from users about an LSASS.EXE error causing XP to do the 60 seconds till forced reboot, and the normal blaster mitigation and turning on the ICF isn't fixing it. I've been able to reproduce it on one machine locally. Is anyone else seeing it?
Sasser (windows) worm.
This affects Win2k too. I had to deal with it earlier today. It was my experience that after the machine rebooted a few times it would stay up and allow you to remove the offending files and processes, and apply the appropriate patches. What I like about this worm is that it's extremely easy to identify hosts on your network that are infected. Just run an nmap scan of your network and look for hosts with TCP port 5554 open. -J -- Jeff Workman | jworkman@pimpworks.org | http://www.pimpworks.org

| Behalf Of Ejay Hire | Sent: May 1, 2004 4:09 PM | | We're starting to take calls from users about an LSASS.EXE | error causing | XP to do the 60 seconds till forced reboot, and the normal blaster | mitigation and turning on the ICF isn't fixing it. I've been able to | reproduce it on one machine locally. Is anyone else seeing it? This may be of interest to you: http://xforce.iss.net/xforce/alerts/id/172 Todd --

W32.Sasser.Worm http://www.symantec.com/avcenter/venc/data/w32.sasser.worm.html Microsoft Windows LSASS Buffer Overrun Vulnerability http://www.symantec.com/avcenter/security/Content/10108.html Latest virus threats W32.Misodene@mm Backdoor.Sdbot.Z W32.Gaobot.AFW W32.Gaobot.AFJ W32.Gaobot.AFC -Henry --- Todd Mitchell - lists <lists@ciphin.com> wrote:
| Behalf Of Ejay Hire | Sent: May 1, 2004 4:09 PM | | We're starting to take calls from users about an LSASS.EXE | error causing | XP to do the 60 seconds till forced reboot, and the normal blaster | mitigation and turning on the ICF isn't fixing it. I've been able to | reproduce it on one machine locally. Is anyone else seeing it?
This may be of interest to you:
http://xforce.iss.net/xforce/alerts/id/172
Todd
--

Yes, for last couple days I'm getting constant nagios reports about some windows servers getting rebooted all the time (these are all win2000 but obviously it has same kernel as xp and viruses and exploits are all same) I could not find any good way to actually shut this all down on firewall level and forced to go through each rebooting computer and make sure all the latest windows updates are installed and disabling or renaming "scripts" iis cgi directory, etc. I've notited these problems on Friday morning but possibly it started on Thursday. On Sat, 1 May 2004, Ejay Hire wrote:
Hi all.
We're starting to take calls from users about an LSASS.EXE error causing XP to do the 60 seconds till forced reboot, and the normal blaster mitigation and turning on the ICF isn't fixing it. I've been able to reproduce it on one machine locally. Is anyone else seeing it?
-Ejay
participants (7)
-
Christopher J. Wolff
-
Ejay Hire
-
Henry Linneweh
-
Henry Yen
-
Jeff Workman
-
Todd Mitchell - lists
-
william(at)elan.net