[OT]new 'virus' lsass.exe [Archive] - Official Neocron Forum

View Full Version : [OT]new 'virus' lsass.exe

zanzan

01-05-04, 08:59

my pc was attacked by it this morning, did a search on google and found the exploit and the fix, this exploit shutdowns the computer, to remove it go to http://www.securityfocus.com/bid/10108/solution/ and download the right one, it helped me

Argent

01-05-04, 09:35

News from the past.

Three hurraa's for people who don't update their softwares regularly.

yavimaya

01-05-04, 11:36

News from the past.

Three hurraa's for people who don't update their softwares regularly.

LOL i've had "Lsass.exe" running on my PC for about Hmmm ever since i installed windows XP, early last year..... obviously a windows service.

but the "w32.sasser.worm" is only new to symantec.com, and i only got hit by it today myself!

yet by your theories it must be over a year old and ive had it from the start .... also symantec have only just found it? O_o

Archeus

01-05-04, 11:42

LSASS is used for security. If you disable it you disable the security on your machine. There is a trojan that hijacks it afaik though

tomparadox

01-05-04, 12:33

News from the past.

Three hurraa's for people who don't update their softwares regularly.

i dont :/ i had a bad expiriens with that, i used its auto updater it said to restart computer and i ended up reformating it 2 times befor it would work again...

extract

01-05-04, 13:14

News from the past.

Three hurraa's for people who don't update their softwares regularly.

you know its funny you say that.....

for one updating softwares does not protect you from everything, maybe from this....

as far as news from the past, do you understand exactly how hard it is for the common person to remember every single virus to ever exist? whats the harm in a fellow gamer trying to educate his peers. I wouldnt clown him Id thank him even IF you were already 1337 enough to know about it

tomparadox

01-05-04, 13:21

for one updating softwares does not protect you from everything, maybe from this....

i agree, my grandmas comp was fully updated and it got like 15 viruses...

as far as news from the past, do you understand exactly how hard it is for the common person to remember every single virus to ever exist? whats the harm in a fellow gamer trying to educate his peers. I wouldnt clown him Id thank him even IF you were already 1337 enough to know about it
i agree with this also, there are so many viruses out there that you could never posibly remember them all, helli found a list online that had about 10,000 viruses in the list and that wasent even including the newer ones, i think theres a new 10 or so every week. and i feal sorry for the poor ass that sits there and makes them because all his life will probly ammount to is some 20 or so year old or something thinking hes a badass cus he can anoy people with his viruses that if you know how to program anyone can make, bah, there i go on one of my rants again...

Scikar

01-05-04, 14:13

Updating software doesn't stop viruses completely, that's what antivirus is for. But it does block the exploits they use: Blaster uses an exploit in RPC to shut down your computer, Netsky.P uses an exploit in Outlook to run e-mail attachments without you opening them. With an updated comp, Blaster can't shut it down allowing you to clean up, and Netsky can't install itself.

Gohei

01-05-04, 15:05

Thanks, i've had the problem all day and i couldn't figure out wtf it was.

extract

01-05-04, 16:28

another NASTY one going around today, think it started last night....Im finding out the hard way, working tech support for an ISP and all =/

W32.Sasser.Worm ................... Windows 2000, Windows Server 2003, Windows XP.................The worm starts 128 threads that scan randomly-chosen IP addresses. This demands a lot of CPU time and as a result an infected computer may be so slow as to be barely useable.

will get messages like not enough quota or memory to run this process....

Temp fix to stop the malicious process is....
Press Ctrl+Alt+Delete once.
Click Task Manager.
Click the Processes tab.
Double-click the Image Name column header to alphabetically sort the processes.
Scroll through the list and look for avserve.exe.
If you find the file, highlight it and end process, log on and run windows update to fix the gaping security gap xp seems to have.....

ffs XP is a virus soaking bitch

StryfeX

01-05-04, 16:29

Nice thread. I just updated my virus definitions, so I should be good. Norton AV Corporate Edition rocks. :p

--Stryfe

Gohei

01-05-04, 19:41

Lol, this is like "Antivirus for morons" sutch as i.

Mods, plz make it a sticky

Marx

01-05-04, 19:47

watch out for lsass.bat, not .exe

Lexxuk

01-05-04, 19:48

I think a few people on my ISP's DSL IP Range are infected with a virus, my firewall is going red, logging several port scan attempts from the same IP range I'm in. Its nothing serious (not for me, my BW can hold it) but I feel sorry for the poor bugger who's scanning so many computers all the time.

Firewall + AV = pwnage.

Windows XP btw, is only good for virii because it is popular, virii writers wouldnt really have much call to write a virus for an OS that only 0.001% of computer bases own, because it would be hard to distribute, and cause minimal disruption. With Windows XP, you can cause most disruption, in as little time as possible. Though the RPC vuln was well known about, and fixes available, long before Blaster was released into the wild, people had just not updated.

Bragvledt

01-05-04, 20:31

I'm scanning right now and NAV again found 2 viruses, yesterday I had 6 of 'em.

Damn pr0n sites ... :p

jernau

01-05-04, 20:32

Just in case people are seeing lsass running and getting panicked can I point out it's a critical part of windows. It handles authentication to the security databases. Many applications rely on it to run properly.

Whoever suggested remembering all virus info - 8|. I doubt that's even possible.

Keepin a PC reasonably secure is very very simple -
1) Install a decent Anti-virus package (eg NAI), set it to auto-update and check that it is doing so
2) Set Windows up to auto-download and auto-install all patches. (This will sometimes ask for reboots but it's idiot-proof so worth it)
3) Get a firewall (eg Black-Ice) and set it to auto-update itself.
4) Don't use Hotmail or anything that smells like Hotmail
5) Use an email client your AV can interface to (eg Outlook)
6) Don't open email from anyone you don't know
7) Run a pop-up blocker (eg Google toolbar)
8) Think before you follow links from unknown sources (eg IRC, forums, etc)
9) Don't use Kazaa
10) Don't install every crappy app you find on the net/magazine covers/under the couch

That's it, no rocket science, no brain surgery, just common sense.

If people can't do this they should not own a PC IMO. It's no more difficult that not letting your car run out of fuel/oil/water or not leaving the keys in the ignition when you park it.

Bragvledt

01-05-04, 20:40

If I get a virus whilst surfing, isn't this an OS (or browser come to think of it) insecurity issue?
I'm running Mozilla on Win98SE btw, with NAV and Zonealarm Pro running.
I also run Spybot Search & Destroy regularly.

Lexxuk

01-05-04, 20:43

ere, Jernau, summit u will find funny, u know ad aware? its bein sued by another spyware finder, cause ad aware apparently lists the entire programme as spyware, so removes it, lock, stock, and barrel (its on the PC Plus Forums, bout a cover cd programme :D)

jernau

01-05-04, 20:43

If I get a virus whilst surfing, isn't this an OS insecurity issue?
I'm running Mozilla on Win98SE btw.Far more likely related to the browser or a browser plugin.
All browsers use standard OS calls however so it's not always clear cut.

/edit @Lexx - LOL. Why am I not surprised?

Bragvledt

01-05-04, 20:46

Far more likely related to the browser or a browser plugin.
All browsers use standard OS calls however so it's not always clear cut.

The 6 viruses were found in my Java dir, something to do with turbo.class if I remember correctly.
I just wanna make sense out of this stuff.

jernau

01-05-04, 20:55

The 6 viruses were found in my Java dir, something to do with turbo.class if I remember correctly.
I just wanna make sense out of this stuff.Unfortunately it's often not as easy to fully understand the mechanisms of these things as it is to prevent them but I'll give an example :

Java is a common programming language. To run java applications on your PC you need a Java plug-in (which ships with most browsers these days) which integrates into your browser and into your OS. If the browser then goes to a site that uses java it passes the java part onto that plugin for processing. The plugin uses the OS and itself to do whatever needs doing and hands the results back to the browser to display.

The same system works for all sorts of things like Flash, Quicktime, etc.

There can be ways to exploit any part of this chain - the browser, the OS, the plugin or any of the links in-between. A non-technical user will have no possible way to tell where the problem lies.

Bragvledt

01-05-04, 21:17

Lexxuk

01-05-04, 21:21

Scikar

01-05-04, 21:25

Thanks for explaining.

I got some more small questions :

what stops a site from putting a virus in a .zipfile on your pc?
do firewalls inspect all site-data that goes to your pc for virus-like content?
isn't it better to stop all this on an ISP-level and let them worry about it?

[edit]
Sorry for all these questions, but once I get going ... :rolleyes: :)

As I understand it, a website doesn't so much send stuff to you, as your comp requests it from the site. Downloading .html files and so on, which are displayed by the browser, happens automatically, since you can't write a virus very well in .html. ;)

To download anything else, requires you to confirm it. Opening a page can create a request for you to download and run a .exe or .zip file, but you have to confirm it, so you can see what's being requested and deny it if it's suspicious.

Firewalls work by recording when there is a request for data. If your computer receives a packet, the firewall checks it against its register to see if your computer requested it in the first place. If there was no request, it is blocked, otherwise it is allowed through.

Regarding ISPs, I believe there is too much data passing through for it to be effectively monitored. If it was, there would be a dramatic increase in latency across the board (anything you sent would be checked first by your ISP, which takes time, and then by the destination ISP, which takes more time, before finally arriving (and probably being checked yet again at the destination).

Bragvledt

01-05-04, 21:30

When you come upto a zip file, or a programme, your browser will ask you what you want to do with that thing. However, viruses are really small in size, so wouldnt need to be zipped up.

Then how come zipfiles automatically end up on my pc?!
Scanning's finished now on my pc and there were 2 more viruses in these files :
Counters.jar-34a70a75-768f65d0.zip
Counters.jar-34a70a75-768f65d0.zip
(2 in 1 file it seems, and the zip is still present)

There's NO way I downloaded these files manually. o_O

jernau

01-05-04, 21:32

What stops a site from putting a virus in a .zipfile on your pc?
All files that arrive at your browser are requested by it. Even the ones you don't want (they are called down by ones you did want). There is no reason that a page can't call for any type of file (including zip) however your browser will then act according to your settings for that file-type. In the case of zip it will ask where you want to save it. In theory that behaviour could be changed but it's not easy or very useful. If someone had that level of control of your system they could bypass the browser entirely.

Do firewalls inspect all site-data that goes to your pc for virus-like content?
Not usually though some can. I would recommend running seperate AV and firewall. The reason being that they work in different ways. AV works by intercepting data going to and from your hard drive whereas a firewall intercepts data going to and from your modem or network card. You could scan for viruses on the network/modem but it's less efficient and you would still need AV to protect from CDs/floppies/etc. so you might as well let each do what it's best at.

Isn't it better to stop all this on an ISP-level and let them worry about it?
Not really. The computing overhead would be immense. Think of an ISP like a conveyor belt carrying boxes information. If you wanted to examine all that information you would have to open every box as it passed you. With thousands of customers that would either mean slowing the belt or paying millions of people (ie computers) to stand next to it grabbing boxes as they pass, check them, and put them back as they were. It's much easier to just look for very simple things at the ISP level like traffic on suspicious ports or protocols. In the conveyor analogy that would be like watching for red boxes or round boxes and knocking them off as they go by.

/edit - If you have been infected the zips may have been made by the virus. Alternatively they may be a legitimate part of your OS or somthing installed on it that has been infected by the virus.

Lexxuk

01-05-04, 21:35

Then how come zipfiles automatically end up on my pc?!
Scanning's finished now on my pc and there were 2 more viruses in these files :
Counters.jar-34a70a75-768f65d0.zip
Counters.jar-34a70a75-768f65d0.zip
(2 in 1 file it seems, and the zip is still present)

There's NO way I downloaded these files manually. o_O

Them there are Java files by the looks of it. If you go to any "dodgy" sites, it fires up your Virtual Machine (dont use Microsoft, use Sun's, MS VM is no longer supported), and downloads the java files into your internet cache folder.

Bragvledt

01-05-04, 21:42

jernau

01-05-04, 21:46

Thanks for all the answers guys.

The zipfiles are indeed containing Java .class files (compiled Java-programs?).
So these "dodgy" sites could just put zips/viruses on my system (dir is not the internet temp files dir, it's the win/application data/... java one) without me (or NAV, or ZoneAlarm Pro) being able to do anything???
It's more likely that the virus tried to hide itself in those files after it got in some other way.

Another possibility is that they are non-standard zips. Most AV programs can check inside compressed archives (eg zip files) and will try to do so whenever they see them. If an archive is passworded, broken or in some way non-standard it can produce a false alarm because the AV program can't say for certain it is safe. If you can open them in winzip this is probably not the case.

Lexxuk

01-05-04, 21:47

Tell you what, lets take a long look at how a web page is processed for you. We will use the neocron homepage as an example.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

This part tells you what type of web page it is, XML, DHTML etc. Its so the browser can say "ohh, its that type"

<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

This one tells your browser, which charset to use, as in, what language subset the webpage is written in, in this case, ISO-8859-1, arabic?

<title>Neocron Homepage </title>

That bit tells your browser, to set the title at the top of the page to, Neocron Homepage

<meta name="ROBOTS" content="INDEX,FOLLOW" />

For search engines

<link rel="StyleSheet" href="themes/Neocron/style/style.css" type="text/css">
<script type="text/javascript" src="javascript/showimages.php"></script>

Two external calls there, the first one calls the style sheet (which tells your browser, what colour is what object/text etc..) the second calls a Javascript, which in turn, calls a .php file.

Now, a .php file, is a serverside programming language file, it means a programme can be run, for instance, on a php enabled web server, typing <? phpinfo(); ?> would give you lots of listings of the PHP objects.

Now, through out the document, there are calls to images, tables etc. The browser looks at these, and fits them how it sees them.

If it came upon a zip file though, it wouldnt be able to display it (if it came up on a .php file on a non php server, it would ask you to download the file, strange but true). It would actually, do nothing, unless of course there was a javascript countdown to download the zip file. In which case, Internet Explorer, Netscape, Mozilla, Firebird, Konquerer etc. Will *all* ask "what dya want me to do wiv dis den dude?". None will just download it.

But as big J said, best thing you can do, is protect your system, with AV and Firewall. Dont download dodgy stuff, NEVER open an email attatchment from someone you know, unless your expecting it, and NEVER EVER from anyone you dont know, especially if it offers you a chance to see snow white fornicating with 7 dwarves.

Of course, the actuall process of getting a web page is more complex than that, with the browser going back and forth, downloading image, going back, downloading next image etc.. but thats beyond the realm of this post.

Bragvledt

01-05-04, 22:01

I think I know what the virus was now.
I openen up the zipfile which NAV said contained a virus and it has a file called "web.exe", so I suspect this was it.

Thanks Lexxuk for the html info. The file that had the virus was downloaded today, about 1.5 hours ago.

I'm gonna restart now, rescan and do some "dodgy sites research" :p to try to find out which site(s) it was that gave me the virus, using my browser History as a guide.

Bragvledt

01-05-04, 23:43

First I had no viruses, then I went to 6 sites, rescanned and ... NAV found the MHTMLREDIR_Exploit virus (http://securityresponse.symantec.com/avcenter/venc/data/mhtmlredir.exploit.html) in a cache file from my Mozilla default profile. I can't see how this virus can be woken up though.

I think I know which site it is, but I'm going to check it seperately.

Lexxuk

01-05-04, 23:49

Bragvledt

02-05-04, 01:27

I got the site and the code of the vulnerability, it's an object tag somewhere on http://www.webzona.net (better not post its complete url ;)).
The good thing was, I couldn't even save the html code on my pc, NAV prompting me it contained the virus. http://neocron.jafc.de/images/icons/icon14.gif

Can I report this site somewhere for action to be taken against this particular page? I know it's being taken care of through an IE patch, but still.

Lexxuk

02-05-04, 01:30

you could do a whois, find out who is hosting the website, write to "abuse@" or write to webmaster@webzona.net and ask them if they realise they have a virus.

Bragvledt

02-05-04, 01:40

Ok thanks, I'll do this tomorrow once I get my pc to be infected again as a final test (visiting the page now doesn't get any alert from NAV anymore).

Hmm, trying to uninstall IE6 feels like getting your pc fubar. I think I'll make a ghost image of my C: first. :D

uber java

02-05-04, 06:26

"lsass.exe" is a Windows Directory Services service/application.

REVKhA

02-05-04, 12:53

Heh, they didnt get me but.... i was thinking about my friend who got infected, and i feel bad for him, i have 1 question ? why would a human spend all the time to learn how to program to make a virus that'll piss off people for a day or 2 ? is that all they want ? piss people for a day or 2 ? Imho these people should be sentenced 10 years of jail. They might think about it twice when theyre 10 years older and on a computer. Oh the humanity, how can such useless peice of flesh actually deserves to live ?

Ithaqua

03-05-04, 12:58

Well ladies and Gents, say hello to "Sasser".

It's a vicious little bug, opens upto 1024 threads to send itself onwards , which will torch your average network in no time. 3 Variants since it went live on 01/04/04

Here's the big bit... the patch came out on april 14th

Here's a link to the SANS Internet Storm Center ISC handler diary entry (http://isc.sans.org/diary.php?date=2004-05-02) and one to M$'s removal tool (http://tinyurl.com/ywbw9)