Microsoft Windows LSASS Buffer Overrun Vulnerability

Description

Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise.

This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003.

Symantec Vulnerability Assessment
Symantec Vulnerability Assessment detects and reports this vulnerability. Click here for the advisory released April 13, 2004.


http://securityresponse.symantec.com/avcenter/sec...Content/10108.html


Stupid Microsoft making everyone aware of their holes then people make viruses, well work will be busy next few months, I do tech support and heard there was 160 calls waiting


Image credit to Matty.

----------------------------------------------------------------
Removal

Norton Removal Tool

Download the FxSasser.exe file from: http://securityresponse.symantec.com/avcenter/FxSasser.exe.
Save the file to a convenient location, such as your downloads folder or the Windows desktop, or removable media known to be uninfected.
To check the authenticity of the digital signature, refer to the "Digital signature" section later in this writeup.
Close all the running programs before running the tool.
If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.
If you are running Windows Me or XP, then disable System Restore. Refer to the "System Restore option in Windows Me/XP" section later in this writeup for further details.

Caution: If you are running Windows Me/XP, we strongly recommend that you do not skip this step.

Double-click the FxSasser.exe file to start the removal tool.
Click Start to begin the process, and then allow the tool to run.
Restart the computer.
Run the removal tool again to ensure that the system is clean.
If you are running Windows Me/XP, then re-enable System Restore.
Run LiveUpdate to make sure that you are using the most current virus definitions.


Disable System Restore Windows ME
Click Start
Click Settings
Click Control Panel
Double Click System
Click Preformance Tab at the top
Click File System
Click Troubleshooting Tab at the top
Check Disable System Restore (last box)
Click Ok, then Ok again

Disable System Restore Windows XP
Click Start
Click Run
Type "control panel" (without the quotes)
If in Category View(Says Pick a Category at the top) Click on System
If in Classic View (All icons shown) Double Click System
Click the System Restore tab at the top
Check the box that says Turn off System Restore on all drives.
You will be prompted and asked if you are sure and that all restore points will be deleted, Click Yes
Then click Apply, then Click OK

IF BY ANY CHANCE IN THE PROCESS OF DOING THIS THE BOX TO SHUT DOWN YOUR COMPUTER POPS UP DO THE FOLLOWING...
Click Start
Click Run
type "shutdown -a" (without the quotes)

Then Run the Removal Tool From Norton

After you have Run the Patch
Download and install the Microsoft update from here
(This Patch is for Windows XP Home and Pro with and without SP1)
For other Operating Systems please visit here

------------------------------
Variants

W32.Sasser.Worm
W32.Sasser.B.Worm
W32.Sasser.C.Worm

Bha.. don't worry about it, IT guys always take those things way too seriously. As for Microsoft publishing this kind of information, that's because they released a patch so anyone who is scared can secure himself easily. If they don't publish the info, they get accused of hidding things.

Thanks for the post.

quote:

---

Originally posted by Patchou
Bha.. don't worry about it, IT guys always take those things way too seriously.

---

My firewalls just blocked three trojans, probably that

Hmmm...
I got this shutdown message today about Issas.exe being closed but after the 60 secs, computer didnt shutdown
If I was going to the shutdown button on xp it was showing the log of screen.
When i clicked log off it stayed at "Saving your settings" and i had to close my computer with the hard way...

But after that i didnt got the same thing....

Btw wasnt blaster doing the same thing?

quote:

---

Originally posted by Mike2
Hmmm...
I got this shutdown message today about Issas.exe being closed but after the 60 secs, computer didnt shutdown
If I was going to the shutdown button on xp it was showing the log of screen.
When i clicked log off it stayed at "Saving your settings" and i had to close my computer with the hard way...

But after that i didnt got the same thing....

Btw wasnt blaster doing the same thing?

---

Who cares, if you get that weird shutting off error, open a DOS command type "shutdown -a" then take ur type to get all the patches and ull be clear

I had 87 attempts to put that on my pc yesterday

Stupid Microsoft making everyone aware of their holes then people make viruses, well work will be busy next few months, I do tech support and heard there was 160 calls waiting

i had 10 calls :~(

quote:

---

Originally posted by mgt
Stupid Microsoft making everyone aware of their holes then people make viruses, well work will be busy next few months, I do tech support and heard there was 160 calls waiting

i had 10 calls :~(

---

sound serious and freaky lol i hope i dont get it thanks for that info

But is this a virus?Because it doesnt sound like a virus to me... :undicided:

quote:

---

Originally posted by Mike2
But is this a virus?Because it doesnt sound like a virus to me... :undicided:

---

I don't think we have much to fear..the warning was to install a patch that has been released some time ago already. Also if u keep ur antivirusprogram up to date ur most likely protected against it already.

Also handy is  AVERT Stinger it scans for virusses/trojans/worms an related items...
get it here: http://vil.nai.com/vil/stinger/
(it found a few items my AV didnt )

Ohh yeah..what's sasser? It's a worm.

It allows a remote attacker to run malicious code on your pc, so it's kinda a virus

quote:

---

Originally posted by tomfletcherman
It allows a remote attacker to run malicious code on your pc, so it's kinda a virus

---

If you type SHUTDOWN -s -t 01 at Run the same thing happends...

Microsoft always give crap names To these things, Why cant they just give them the proper names, Ask the owner or something what they called it.

Just give them names like, For Example "NetSky"

But they called the newest one:

W32.NetSky.AB,  Always having to give them big names, Which are very pointless. Just confuses people who do not know anything about viruses,

As for me, I just let them Be, If they break my PC, Then Just format, I now have a virus scanner, So it takes the problems away, So... That should be a good thing,

So In otherwords.

Microsoft SUCK

quote:

---

Originally posted by JoeX
Microsoft always give crap names To these things, Why cant they just give them the proper names, Ask the owner or something what they called it.

Just give them names like, For Example "NetSky"

But they called the newest one:

W32.NetSky.AB,  Always having to give them big names, Which are very pointless. Just confuses people who do not know anything about viruses,

---

quote:

---

Originally posted by JoeX
As for me, I just let them Be, If they break my PC, Then Just format, I now have a virus scanner, So it takes the problems away, So... That should be a good thing,

---

quote:

---

Originally posted by Sunshine
Asfar as i know all it does is cause errormessages an reboots ur comp.

---

There is also a new virus - mainly came today - called Sasser - it targets a security patch downloaded from Microsoft Windows Update. Go to http://windowsupdate.microsoft.com to have a scan to see if you need a patch to sort it out

* TedoDude is being helpful today

quote:

---

Originally posted by TedoDude
There is also a new virus - mainly came today - called Sasser - it targets a security patch downloaded from Microsoft Windows Update. Go to http://windowsupdate.microsoft.com to have a scan to see if you need a patch to sort it out

* TedoDude is being helpful today

---

Not from what I have heard from the ICT guys in the office...

quote:

---

Originally posted by Patchou
don't worry about it, IT guys always take those things way too seriously.

---

quote:

---

Originally posted by VGProManiac
if you get that weird shutting off error, open a DOS command type "shutdown -a" then take ur type to get all the patches and ull be clear 

---

quote:

---

Originally posted by mgt
Stupid Microsoft making everyone aware of their holes then people make viruses

---

quote:

---

Originally posted by JoeX
Just give them names like, For Example "NetSky"

---

quote:

---

Originally posted by JoeX
If they break my PC, Then Just format, I now have a virus scanner, So it takes the problems away

---

Heh over here the news companies have been saying all day "Sasser is unlike other viruses because it travels over the internet rather than by email".  I get home and my dad tells me not to go on any websites and if i have to close them, not leave them open

The news can be so misleading

Yes, oh well i had two free days . I hope the other network admin at work took care of the most problems and user questions. But i already know by now that i will defenitly will get such questions too.

The news should be a little more educational and tell people that they should simply:
- go to windowsupdate.microsoft.com and install the critical updates there on a regular basis.
- Install a good virusscanner and keep that one up-to-date and ensure it's configured right so it is actually scanning.

Yes, there are people i helped who only had their virusscanner configured for on-demand scanning .