Hi my windows 2000 server keep shutting down automatically the moment i connect it through my ADSL modem. The pop up error was like "lsass.exe terminated unexpectedly, code 128 ..." i updated my anti virus and i think its not a blaster worm. On the other hand, i use a dial up modem connection and nothing happen .....anyone got this problem ?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
windows 2000 auto shutdown but not blaster
- Thread starter dnack
- Start date
beerhunter2
MIS
- Dec 3, 2002
- 381
See if this post works.
thread96-830067
Help! I've fallen and I can't reach my beer.
thread96-830067
Help! I've fallen and I can't reach my beer.
mlichstein
MIS
Let me introduce you to the newest worm: sasser.
This worm requires no intervention. Get MS04-011 on your systems NOW!
This worm requires no intervention. Get MS04-011 on your systems NOW!
TrendLabs has declared a Medium Risk Virus Alert to control the spread of WORM_SASSER.A.
TrendLabs has received several infection reports indicating that this malware is spreading in the US.
This worm is known to exploit the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:
• •
To propagate, it scans random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.
The resulting overflow allows the malware to listen to TCP port 9996, which instructs it to spawn a command shell. The malware then creates the script file CMD.FTP that contains instructions for the vulnerable system to download and execute a copy of this malware via FTP.
The infected host then opens TCP port 5554 to accept any FTP requests from infected remote systems. The worm copy to be downloaded bears the file name, <random integer>_up.exe (e.g., 12345_up.exe), and is saved in the Windows system directory.
After download, the malware deletes the file CMD.FTP. A log file named WIN.LOG is created in the root directory. This file contains the number of remote systems that the host system were able to infect.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 110 (released)
Official Pattern Release 879 (released)
Damage Cleanup Template 331 (ETA 1 hour)
Vulnerability Assessment Rule 10 (released)
NVW Pattern 10124 (ETA 1 hour)
For more information on WORM_SASSER.A, you can visit our Web site at:
You can modify subscription settings for Trend Micro newsletters at:
______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).
To unsubscribe from Trend Micro's Newsletters Editor:
To update your subscription preference, or to change your email address:
To view our permission marketing policy:
Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014
TrendLabs has received several infection reports indicating that this malware is spreading in the US.
This worm is known to exploit the Windows LSASS vulnerability, which is a buffer overrun that allows remote code execution and enables an attacker to gain full control of the affected system. This vulnerability is discussed in detail in the following pages:
• •
To propagate, it scans random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.
The resulting overflow allows the malware to listen to TCP port 9996, which instructs it to spawn a command shell. The malware then creates the script file CMD.FTP that contains instructions for the vulnerable system to download and execute a copy of this malware via FTP.
The infected host then opens TCP port 5554 to accept any FTP requests from infected remote systems. The worm copy to be downloaded bears the file name, <random integer>_up.exe (e.g., 12345_up.exe), and is saved in the Windows system directory.
After download, the malware deletes the file CMD.FTP. A log file named WIN.LOG is created in the root directory. This file contains the number of remote systems that the host system were able to infect.
TrendLabs will be releasing the following EPS deliverables:
TMCM Outbreak Prevention Policy 110 (released)
Official Pattern Release 879 (released)
Damage Cleanup Template 331 (ETA 1 hour)
Vulnerability Assessment Rule 10 (released)
NVW Pattern 10124 (ETA 1 hour)
For more information on WORM_SASSER.A, you can visit our Web site at:
You can modify subscription settings for Trend Micro newsletters at:
______________________________________________________________________
This message was sent by Trend Micro's Newsletters Editor using Responsys Interact (TM).
To unsubscribe from Trend Micro's Newsletters Editor:
To update your subscription preference, or to change your email address:
To view our permission marketing policy:
Trend Micro, Inc., 10101 N. De Anza Blvd., Suite 200, Cupertino, CA 95014
- Thread starter
- #5
- Thread starter
- #6
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question