We have about 1000 PC's on our network. Within a few minutes of each other ... about a dozen of those PC's got the NT Authority/System (Lsass.exe) shutdown warning that is typical of the Sasser Virus. However all of our dat files are up to date and when I ran the scanner, we have not found anything at all. We ran a sasser specific scanner and found nothing, as well. Does anyone have any ideas or experience with something similar. It seems to happening on windows 2000 PC's We have both Mcafee 4.5.1 and version 7 or 7.1 all using the latest Dat files.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
SASSER VIRUS "LIKE" ISSUE
- Thread starter llambert2
- Start date
mattmsudawg
IS-IT--Management
Go to Windows Update and make sure the OS has all the patches.
- Thread starter
- #3
just as an update ... it's about an hour later and the issue is happening again... only now it's more widespread ... it's happening in our regional offices too. They weren't hit in the first round.
Patches are mostly up to date. I don't have time to check all the computers.
Does anyone know a specific patch I can look for, that may make a difference?
Patches are mostly up to date. I don't have time to check all the computers.
Does anyone know a specific patch I can look for, that may make a difference?
theboyhope
IS-IT--Management
MS04-011:
We had a similar outbreak recently - korgo(sp?) iirc. One machine that hadn't updated its DATs properly got infected and then it attacked all the rest cause the lab techs hadn't been patching the clients.
We had a similar outbreak recently - korgo(sp?) iirc. One machine that hadn't updated its DATs properly got infected and then it attacked all the rest cause the lab techs hadn't been patching the clients.
theboyhope
IS-IT--Management
Oh, I forgot to say: I found the easiest way to discover any machine that was attacking was to monitor the firewall log. I blocked IRC and any infected machine was quite easy to spot in the logs.
- Thread starter
- #7
Just to update. I watched the network with a sniffer and saw that one of the computers was continually sending arp resquests for Ip addresses that aren't in our scope. So i had that computer checked for viruses. First it was new and using Mcafee version 7 The tech in that office hadn't known how to point it to update the DATS (since our network is inernal and doesn't connect to the internet) So the DATS weren't up to date. I showed him how to update and then had him run the scanner. There were 15 infected files and one of the viruses was the Korgo virus that is very similar to the Sasser. This fixxed the problem.
Thanks for all your help.
Len
Thanks for all your help.
Len
- Status
Similar threads
- Locked
- Helpful tip
- Locked
- Question
- Locked
- Question
- Locked
- Question