Calling All Geeks

I'm on a time crunch, but can you guys help me track down a virus/worm?

When people are getting on the net, lsass.exe is crashing and nt/authority shutdown in 60 seconds message.


Thanks for the help.

 

No,its a Gaobot variant.

Front page of http://www.sarc.com/.

I am blind, LOL.

 

could we be seeing the first run of worms for the new lsass vuln?

 

Thats precisely what it is. Sarc is reporting them as gaobot variants.


Half the building is infected here, heheh.

 

joy.. new worm and a broken patch for it.

 

Is it broken? I honestly didn't check. I just assumed the computers here were...less than maintained. The Windows XP support end of the building hasn't been hit...yet.

 

Probably not.


LOL.

 

You would think people would have learned from msblast....

 

Some more info:


Remember when Nick posted these patches and recommended that you get them from the direct URL?

I guess there is a site/sites out there that are recommending people download the patch. The download overwrote the patch, and opened the hole again....heheh.


At least thats what a fellow tech told me.

 

Apparently on win2000 systems it can lock up the boot process. I do believe it's ok for XP though.

 

The patch was issued on the 13th. There's nothing "wrong" with that patch that over-writes anything newer. It's a brand new patch..

 

No, you misunderstand what I meant.

It wasn't an MS site. ANd MS doesnt use popups either, not for that stuff.

But thats a rumor going around here. Don't know how true it is.

 

Oh.. well, that sucks. Why do people have to be that way.. :sigh:.

 

Is a variant of the OPTIX PRO Viruses.
Optix Pro (bck/Optix.Pro.13) is the trojan that opens TCP port 3410 and allows hacker to control an infected computer.
Also it installes and executes the Trojan Bck/sub7.22 which disables antiviral programs and systems processes with network displays.
Optix Pro copies it self thru Floppy disks, CDs, E-mail with infected atachments, files from FTP etc.

Use RegRun Optimizer to remove it automatically

 

This virus is transmitted by connecting to the net.

Doesn't sound like Optix Pro, IMO. None of the symptoms seem related.

I think it is a gaobot variant, as Sarc says. Its exploiting the lsass vulnerability.

 

O.K.

Hey there only like 25,000 links on google on goabot.
I only have about 24,980 left to read

 

Lol
-------

 

This virus seems to be spreading fast, my homepage is being hit by many people searching for solution to Lsass.exe and error (Very similar to when blaster started and they were searching for Svchost.exe).

 

A friend at work says that is it sasser and its variants.

They are getting slammed.

http://www.sarc.com/avcenter/venc/data/w32.sasser.b.worm.html
http://www.sarc.com/avcenter/venc/data/w32.sasser.worm.html



I wish people would update their computers. This BS is getting so old.