I had a similar thing hit last Thursday on a Windows XP SP2 box that was
patched completely. It nearly wiped out the hard drive. We couldn't even
slave it to get the data off...we had to use a commercial data recovery tool.
Ido
--
Ido Dubrawsky
Senior Consultant
AT&T/Callisma
Sterling, VA.
(571) 633-9500 (Ofc)
(202) 213-9029 (Mobile)
________________________________
From: Drew Weaver [mailto:drew.weaver@thenap.com]
Sent: Mon 3/13/2006 2:14 PM
To: focus-ms@securityfocus.com
Subject: New Sasser variant on the loose? Anyone else?
Has anyone seen a sasser variant that effects Windows 2k3 SP1?
We have started seeing servers exhibiting the exact same effects that
sasser had back when it was "all the rage" that are completely patched to
the latest "Windows Update" spec before ever touching the non firewalled
internet. Our firewall is about as restrictive as possible.
There are two errors which are similar which evoke the "reboot of death" I
have been seeing these again since Saturday.
"Shutdown was initiated by NT AUTHORITY\SYSTEM
C:\Windows\SYSTEM32\services.exe Status Code -1073741819"
I shortened the above error message, but the perinent parts are there, I
also noticed that sometimes it is lsass and sometimes it is services.exe.
Also, we use ghost to install our operating system, and our ghost image is
current up to the last windows update patch, and I have verified that sasser
is not on our ghost image.
Has anyone seen anything similar?
Thanks,
Andrew
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
