Lsasrv.dll RPC buffer overflow remote exploit

[LordThing]

I cleaned off Sasser C from a unit, but I am still getting LSA crashes when I get into standard windows. Computer is patched up and clean. Any ideas?



Edit: Ok, found a way to disable the LSA message at bootup. I had disabled error reporting, but had it to notify if errors occur. Still, why is the error still popping up?

 

[ViRGE]

Originally posted by: PorBleemo

Originally posted by: ViRGE

Originally posted by: PorBleemo

Originally posted by: ViRGE
Ugg, today sucks; the entire network has Gaobot.AFJ running rampant, and there aren't any self-contained removal tools, so it all has to be done with the incredibly slow Symantec Corporate Anti-Virus.

Are self-contained removal tools like bots who fly around the network erasing the virus?

No, it's a small tool that can quickly remove the virus/worm. Symantec has one of these for Sasser; it's a small, free download that removes the worm much easier and faster than using the full NAV suite.

So is the big deal that these can be deployed remotely on a network to all the computers?

No, the big deal is that it would take me 10 minutes to clean a machine, vs. an hour.

 

[Platypus]

Originally posted by: LordThing
I cleaned off Sasser C from a unit, but I am still getting LSA crashes when I get into standard windows. Computer is patched up and clean. Any ideas?



Edit: Ok, found a way to disable the LSA message at bootup. I had disabled error reporting, but had it to notify if errors occur. Still, why is the error still popping up?

Your system has been compromised at a root level, you might as well flatten and reinstall.

 

[TuxDave]

wtf, I hate how the system is here. The system admins love to remotely reboot all our computers to patch them with whatever they want (without warning). So I can't tell if I'm infected or if it's just the admins.

 

[Platypus]

Originally posted by: TuxDave
wtf, I hate how the system is here. The system admins love to remotely reboot all our computers to patch them with whatever they want (without warning). So I can't tell if I'm infected or if it's just the admins.

Haha, proactive security? What's that?!!?!

I posted the exploit, try it.

 

[luvya]

Arrhhh...I am hit again!:|

I thought I have successfully removed all the virus from last night. Damn it!

 

[bsobel]

relying solely on firewalls to block this virus is silly....there are may ways that this virus can get in. One very simple way I can think of is email. If an unsuspecting user opens up an email containing this virus, and you don't block those netbios ports from within your LAN(which many corporate windows users won't, otherwise windows will be useless). Then the virus will spread like wildfire in your LAN. This is what virus writers count on..people's stupidity. They know the virus won't go through firewalls, but they also know people are stupid

This is a worm, not a virus. Further, this attack does NOT SPREAD THRU EMAIL as you claim.

Bill

 

[Narse]

I have taken this information to my comapny, I thought that blocking all traffic on port 445 would have limited or exposeure to this threat. noone pays attention to me.

 

[Medea]

Originally posted by: luvya
Arrhhh...I am hit again!:|

I thought I have successfully removed all the virus from last night. Damn it!

luvya, if you have XP, disable System Restore. Many times, you can get rid of a worm only to find it pop up again on your system via System Restore.

 

[DurocShark]

My work got hit hard today. :|

I'd like to take the virus writers, tie them up, put headphones on, and make them listen to "BADGERBADGERBADGER" for a week straight!

:|

 

[Nevada]

i ran into the LSA Shell error message after applying the patch. i unplugged the machine from the network and ran a full scan on the machine with the latest virus defintions. seems to have taken care of the issue.

 

[gatehill]

I successfully removed Sasser from a friend's PC on Thursday so, full of confidence I went to another friend's house on Friday to carry out the same operation.
At both places I turned on the XP firewall, removed the worm using the Symantec tool which I had downloaded on to a CD and then ran Windows Update to download the latest critical updates, including 835732.

However, at the second friend's house when we tried to restart the computer, as required after installing the windows updates, the PC would not reboot, instead we got the error message along the lines of: "lsass.exe could not run as lsasrv.dll is missing".

Can anyone advise how I should proceed? It is a Dell 2350 and he still has all the disks which were supplied when he purchased the PC about a year ago.