"McDonald, Gray" to "Peter Nabbefeld":
Does it say something about the LSASS service? Sounds like SasserB.
Or other Sasser variants or one of the Blasters or, these days, more
likely one of several bots that aggressively try to spread via an LSASS
exploit.
And, of course, there are the ankle-biter copycats that never become
widespread enough to gain (media) attention, but that are slinking
around out there nonetheless...
The point -- this symptom has one common general cause (and no doubt
several other, entirely unrelated causes) so a report of only this
symptom is far too little to hang a malware family name on.
Get all available updates from Microsoft for the OS first. Then go to
TrendMicro and use their free online virus scanner:
http://housecall.trendmicro.com/
And do a full scan. Usually the updates take care of the vulnerability
and it goes away, but the scan is good to do.
_How_ will he stay connected to WindowsUpdate, etc long enough to
download the necessary patches if his machine is connected to a LAN, or
straight to the Internet, where LSASS-exploiting malware is running
rife? Experience to date suggests that typically you have only a few
minutes, at most, between shutdowns in such situations and it takes
much longer than that to get the patches...
The running short-term survival time at ISC:
http://isc.sans.org/
(near the top right-hand corner) is currently 18 minutes, which is
slightly lower than the August monthly average and about the same as
that for July:
http://isc.sans.org/survivalhistory.php
Assuming Peter's machine is directly on or exposed to the Internet
(assume for now the PFW is not working -- odds are it has been disabled
by whatever so a PFW installed after suspected infestation is the same
as no PFW), it would be much better to suggest that Peter restart in
safe mode, disable _ALL_ MS networking services and clients, restart in
"safe mode with networking" and try again. (Hopefully this will see
whatever not start due to safe mode's reduced startup functionality and
no vulnerable services be exposed over TCP/IP, providing enough
functionality to access the Internet and the necessary patches and
recovery tools to clean his machine.)
I've installed a firewall (maybe outdated) and a virus scanner (last
update about one week ago, maybe also some days more), so if it's been
caused by a virus, it should be a relatively recent one.
Do you mean you installed these _after_ you first thought your machine
had been "attacked"?
If so, the odds are very high that they have been rendered non-
functional by whatever it is that attacked your machine.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
