New Virus released, can anyone help identify it?

  • Thread starter Thread starter Craig N.
  • Start date Start date
C

Craig N.

I am a consultant, and I have had 3 corporate netowrks,
plus 20 servera t my colo facility nailed with a new
virus. Virus sacns are not picking it up, and I have the
latest definitions.

I have identified the culprit service to be LSESS.EXE, not
LSASS.exe, ans the sasser patch and removal tool does not
work. ALso, in the system32 folder, I locate the file.

It appears as though this virus just comes right in, not
through e-mail or surfing. Since some of the machines
affected are pure gaming servers, and dont have anyone
accessing the net or receiving e-mail.

Anyways, as far as effects, the first noticeable sign is
that once you log into 2000, you do not get a desktop, it
just sits with a blue screen for hours. Then the machine
starts rebooting constantly.

I performed a format and reinstall of 2000, and got my
desktop back, but within 2 minutes, I started getting
svchost errors, and Windows would rebbot after 10 seconds.

I finally did a clean 2003 install, and once again got the
virus, but it was attacking the RPC,causing a reboot in 10
seconds. I went into services, and disabled the action
from reboot machine to take no action for RPC.

I have noticed that if I restrict access to the file
LSESS.EXE the machines apper to run fine. I have also
encountered multiple instances of it inthe registry.

It looks like blaster or maybe Sasser, but not exact. It
also appears t be a widespread infection. I originally
caught it two days ago, and assumed it was blaster, but
then it nailed everypne today, and these are all seperate
corporations, and nothing on the security sites regarding
it.

Anyways, anyone have any idea what it is?
 
First guess is it's actually malware/spyware/etc. Have you looked at
the RUN and RUNONCE keys and removed any reference? Checked the
Startup group?

Jeff
 
If your virus scanner does not pick it up with the latest definitions try a
second opinion and contact your antivirus vendor with the information you
supplied here to see what they recommend. Trend Micro has a free and compact
Sysclean download for malware detection and removla and pattern file that
you need to download to a common folder to execute from. Also scan with
something like AdAware or Pest Patrol. Pest Patrol is pretty good and
targets Trojans and parasites. They have a free download but I think it will
only detect and not remove. Also try some of the free tools from
SysInternals - TCPView, Process Explorer, and Autoruns to help identify what
is happening by mapping port use to processes, and showing detailed info on
what applications are configured to start up automatically. Note that you
can also use msinfo32/software environment/running tasks to see process to
path mapping in W2K and you can also use it to view processes on remote
computers. For computers that do not need to offer resources on the network
it may help to enable tcp/ip filtering on the network adapter to block
uninitiated inbound traffic. Be sure to disable it when you are done as it
may cause network connectivity problems in the future. Of course XP and
W2003 have the built in ICF firewall.--- Steve

http://www.trendmicro.com/download/dcs.asp -- Sysclean
http://www.trendmicro.com/download/pattern.asp -- pattern file current as
of today
http://www.pestpatrol.com/Downloads/Eval/DownloadHomeEvalNew.asp -- Pest
Patrol
http://www.sysinternals.com/ntw2k/source/tcpview.shtml -- TCPView
http://www.microsoft.com/windows200...n/advanced/help/sag_TCPIP_pro_TCPIPfilter.htm
 
Thanks for the info. Is this a new release? I have talked
to over 20 people today that have recieved it. It spreads
through the network like wildfire. Both my domain
controllers, all my citrix servers, mail server, backup
server, and 400 XP workstations, and htat was only at one
location.

Plus, once it gets in, you cant access the 2000 desktop,
not even through safe mode. Any way of preventing it? I
think I got it removed, it was a bit of a pain, but i
deleted the executable, and removed the registry entries.

-----Original Message-----
Here is some more info on your problem as reported by Trend Micro by
searching their site for lsess.exe. --- Steve

http://www.trendmicro.com/search/google/en- us/results.asp?lr=lang_en-us&q=LSESS.EXE

WORM_SDBOT.CU - Description and solution
.... It drops a copy of itself as the file LSESS.EXE in the Windows system
folder. This malware runs on Windows 95, 98, ME, NT, 2000, and XP. ...
www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM_SDBOT.CU... -
49k
Click to expand...
http://www.pestpatrol.com/Downloads/Eval/DownloadHomeEvalN
ew.asp -- Pesthttp://www.sysinternals.com/ntw2k/source/tcpview.shtml --
TCPView
 
Oh yeah, it made it hrough 3 firewalls, including a
symantec security gateway, and a mcaffee viruswall st the
one location.

-----Original Message-----
Here is some more info on your problem as reported by Trend Micro by
searching their site for lsess.exe. --- Steve

http://www.trendmicro.com/search/google/en- us/results.asp?lr=lang_en-us&q=LSESS.EXE

WORM_SDBOT.CU - Description and solution
.... It drops a copy of itself as the file LSESS.EXE in the Windows system
folder. This malware runs on Windows 95, 98, ME, NT, 2000, and XP. ...
www.trendmicro.com/vinfo/virusencyclo/default5.asp? VName=WORM_SDBOT.CU... -
49k
Click to expand...
http://www.pestpatrol.com/Downloads/Eval/DownloadHomeEvalN
ew.asp -- Pesthttp://www.sysinternals.com/ntw2k/source/tcpview.shtml --
TCPView
 
If it is the same worm that Trend Micro discusses it was discovered on June
14, 2004. There info indicates that it works through IRC and tries to crack
the admin password on the target computers to access the admin share. Weak
or no passwords would allow it to spread quickly. Enabling the built in ICF
firewall on XP computers that do not need to offer shares or other services
to computers on the network and using complex passwords could stop it and
slow down the spread of it. --- Steve
 
I am a consultant, and I have had 3 corporate netowrks,
plus 20 servera t my colo facility nailed with a new
virus. Virus sacns are not picking it up, and I have the
latest definitions.

I have identified the culprit service to be LSESS.EXE, not
LSASS.exe, ans the sasser patch and removal tool does not
work. ALso, in the system32 folder, I locate the file.

It appears as though this virus just comes right in, not
through e-mail or surfing. Since some of the machines
affected are pure gaming servers, and dont have anyone
accessing the net or receiving e-mail.

Anyways, as far as effects, the first noticeable sign is
that once you log into 2000, you do not get a desktop, it
just sits with a blue screen for hours. Then the machine
starts rebooting constantly.

I performed a format and reinstall of 2000, and got my
desktop back, but within 2 minutes, I started getting
svchost errors, and Windows would rebbot after 10 seconds.

I finally did a clean 2003 install, and once again got the
virus, but it was attacking the RPC,causing a reboot in 10
seconds. I went into services, and disabled the action
from reboot machine to take no action for RPC.

I have noticed that if I restrict access to the file
LSESS.EXE the machines apper to run fine. I have also
encountered multiple instances of it inthe registry.

It looks like blaster or maybe Sasser, but not exact. It
also appears t be a widespread infection. I originally
caught it two days ago, and assumed it was blaster, but
then it nailed everypne today, and these are all seperate
corporations, and nothing on the security sites regarding
it.

Anyways, anyone have any idea what it is?
Click to expand...

We have the same problem, 50 computers went down, and it looks like
sasser. I pathed all computer and the went stable, but 5 computers
have a entry in the registry called, wni32 usb2 driver=systemrun.exe,
which wasnt detected by mcaffe at first. The two new virusdefinitions
came out, and the latest could recognize it and remove it. It was
w32/sdbot.gen.t

But we have still one computer left, which have a file called
windrive.exe, and when I google i found that it seems to be a sdbot
virus too. But macaffe havent come out with a dat file that recognise
it.

Post when you know what virus it is.
 
My first guess would be to look at the people in the office with laptops
that connect directly to the internet. Ask them if they've had the same
problem at home and I'm sure you'll find at least one that has the same
problem and likely isn't up to date with patches. That's the nature of a
worm.

Joe
 
Back
Top