Re: lsass.exe worm

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Lanwench [MVP - Exchange] (lanwench_at_heybuddy.donotsendme.unsolicitedmail.atyahoo.com)
Date: 10/19/04 

Date: Mon, 18 Oct 2004 21:30:03 -0400

Selarom De Janerio wrote:
> we got affected by this today on our 2000 workstations.
> is there an automated way to push down the updates for this?
>
> regards -

Not without SUS or something similar.
Standard boilerplate follows:

You've been infected by the Sasser worm or variant. This means you didn't
apply Windows Updates (at least not very recently - patch for this came out
April 13 2004) and don't have a firewall enabled....

For WinXP: If you can't stop your computer from restarting:

As soon as your computer reboots and Windows loads, click Start, then Run.
In the box, type the following:

     shutdown -a (then click OK)

[for Win2k, shutdown.exe is part of the resource kit and the correct syntax
is
shutdown /a]

Then see http://www.microsoft.com/security/incident/sasser.asp and
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

McAfee's Stinger tool to remove Sasser: http://vil.nai.com/vil/stinger/

MS removal tool for Windows 2000 SP2 and up, or Windows XP:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;841720

Enable your XP firewall (or get a third party one if not on XP or even if
so - www.zonealarm.com has a free one) - if you're on a network, you need a
good perimeter firewall anyway. Run Windows Update regularly to
keep your OS patched to the gills. You also need good antivirus software and
need to keep it updated regularly. As mentioned, the patch for this exploit
was released April 13th...but there are plenty you do need. Perhaps want to
enable the autoupdate feature of Windows Update and subscribe to the
security bulletin announcements at www.microsoft.com/security.

Relevant Pages

  • Re: [Error number: 0x80072EE2]
    ... disabling the firewall and such -- but none worked. ... > This is how I set Norton firewall so I can download updates and keep the firewall ... > Try now going back to Windows Update web page. ... > regsvr32 wuaueng.dll ...
    (microsoft.public.windowsupdate)
  • Re: Formating Windows XP
    ... working on the windows updates. ... Before i can install my virus scanner i am attacked and before i can ... >> install any windows update patches i am attacked. ... > install off-line a software firewall such as ZoneAlarm. ...
    (microsoft.public.windowsxp.general)
  • Re: Cant access Windows Update, no error code
    ... but my systems have *never* had an issue in 9 years obtaining and installing updates from WU/MU save for updates to Word and Excel Viewers. ... the ZA clean uninstall, and before reinstalling, I again tried Windows update with the same problem of Windows update failing recurring. ... It's little surprise that there is such widespread animosity against Microsoft when it apparently intentionally abuses its effective monopolistic position through practices such as unreasonably preventing competing web browsers from accessing Windows updates. ... Automatic prompting for ActiveX controls - Enable ...
    (microsoft.public.windowsupdate)
  • Re: Cant access Windows Update, no error code
    ... obtaining and installing updates from WU/MU save for updates to Word and ... with the same problem of Windows update failing recurring. ... that there is such widespread animosity against Microsoft when it apparently ... There are many situations where Zone Alarm does *not* uninstall ...
    (microsoft.public.windowsupdate)
  • Re: Automatic Update Service Not Starting
    ... WTF did you do a Repair Install? ... "Could Not Start the Automatic Updates Automatic Updates Service On Local ... If you disable Comodo Firewall and then enable the Windows Firewall, ... I attempted to get to the update page again, but I had "Windows Update ...
    (microsoft.public.windowsupdate)