Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: New Sasser variant on the loose? Anyone else?

from [Matthew Mucker] Network Security [Permanent Link]
Subject: RE: New Sasser variant on the loose? Anyone else?
Date: Mon, 13 Mar 2006 12:17:28 -0800 
Drew and I worked on this problem in a private email thread.

It currently appears as though his issue is being caused by a
non-Microsoft application.  I've encouraged Drew to work with the
application vendor to determine the cause of the problem.

I'm not going to name names until we're sure that we've properly
identified the cause of the problem; I don't want to jump to conclusions
and put a dent in someone's reputation.

-----Original Message-----
From: DUBRAWSKY, IDO (CALLISMA) [mailto:id3878@att.com] 
Sent: Monday, March 13, 2006 1:42 PM
To: Drew Weaver; focus-ms@securityfocus.com
Subject: RE: New Sasser variant on the loose? Anyone else?

I had a similar thing hit last Thursday on a Windows XP SP2 box that was
patched completely.  It nearly wiped out the hard drive.  We couldn't
even slave it to get the data off...we had to use a commercial data
recovery tool.
 
Ido
--
Ido Dubrawsky
Senior Consultant
AT&T/Callisma
Sterling, VA.
(571) 633-9500 (Ofc)
(202) 213-9029 (Mobile)

________________________________

From: Drew Weaver [mailto:drew.weaver@thenap.com]
Sent: Mon 3/13/2006 2:14 PM
To: focus-ms@securityfocus.com
Subject: New Sasser variant on the loose? Anyone else?



Has anyone seen a sasser variant that effects Windows 2k3 SP1?

    We have started seeing servers exhibiting the exact same effects
that
sasser had back when it was "all the rage" that are completely patched
to
the latest "Windows Update" spec before ever touching the non firewalled
internet. Our firewall is about as restrictive as possible.

There are two errors which are similar which evoke the "reboot of death"
I
have been seeing these again since Saturday.

"Shutdown was initiated by NT AUTHORITY\SYSTEM
C:\Windows\SYSTEM32\services.exe Status Code -1073741819"

I shortened the above error message, but the perinent parts are there, I
also noticed that sometimes it is lsass and sometimes it is
services.exe.

Also, we use ghost to install our operating system, and our ghost image
is
current up to the last windows update patch, and I have verified that
sasser
is not on our ghost image.

Has anyone seen anything similar?

Thanks,
Andrew

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RES: SPAM-BAIXO: New Sasser variant on the loose? Anyone else?, Charbel Chalala Issa <McAfee Partner>
Next by Date:  trouble using SSL on WSUS, Bart Poort
Previous by Thread:  RE: New Sasser variant on the loose? Anyone else?, DUBRAWSKY, IDO (CALLISMA)
Next by Thread:  trouble using SSL on WSUS, Bart Poort
Indexes:  [Date] [Thread] [Top] [All Lists]