Lsass.exe oddities

J. Oquendo sil at politrix.org
Sat May 1 22:52:22 UTC 2004



> Date: Sat, 1 May 2004 14:58:40 -0700 (PDT)
> From: Henry Linneweh <hrlinneweh at sbcglobal.net>
> To: Todd Mitchell - lists <lists at ciphin.com>, 'Ejay Hire'
> <ejay.hire at isdn.net>, nanog at merit.edu
> Subject: RE: Lsass.exe causing shutdown in IE.

McAfee's Stinger takes care of this, or at least supposedly does.
http://vil.nai.com/vil/stinger maybe some of you guys on the ISP sides can
place a copy in a public ftp for your users.

What I've noticed from looking at a few people who were infected with it
is, IE and OE gets toasted with OE returning the 0x800ccc15 which on XP
has to deal with a bad McAfee install, and or timeouts. Now, I had this
one person I was on the phone with who had this error but was still open
to ping via DOS prompts and actually resolve out, and have information
returned to him. For a quick fix without having to reinstall I had him do
a system restore to a few weeks back, then reconnect and download stinger,
voila, fixed.

Currently running NMAP on the company's /18 to figure see if we can
notify users of this issue.

Below is output of the session with addresses stripped

sil at mvi:~> ping 216.x.x.x
PING 216.x.x.x (216.x.x.x): 56 data bytes
64 bytes from 216.x.x.x: icmp_seq=0 ttl=251 time=6.351 ms
64 bytes from 216.x.x.x: icmp_seq=1 ttl=251 time=17.575 ms
64 bytes from 216.x.x.x: icmp_seq=2 ttl=251 time=15.147 ms
64 bytes from 216.x.x.x: icmp_seq=3 ttl=251 time=23.916 ms
64 bytes from 216.x.x.x: icmp_seq=4 ttl=251 time=6.343 ms
64 bytes from 216.x.x.x: icmp_seq=5 ttl=251 time=8.788 ms
64 bytes from 216.x.x.x: icmp_seq=6 ttl=251 time=15.620 ms
^C
--- x.x.x.x ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max/stddev = 6.343/13.391/23.916/6.056 ms

------------------------------------------------------
xxxxxxx is currently connected to 216.x.x.x
------------------------------------------------------
SessionID:  433419007           Svc:  PPP
Line/Chan:  1:13:42/000         Slot:Item: 1.03.06/008
Tx/Rx Rate: 45333/31200         IP Address: 216.x.x.x
ConnTime:   0:27:55             IdleTime: 0:00:00
Dialed#:    914XXXXXXX          Calling#: 914XXXXXXX
------------------------------------------------------

sil at mvi:~> telnet x.x.x.x 5554
Trying 216.x.x.x...
Connected to dialin-522-tnt.xxxx.xxxx
Escape character is '^]'.
220 OK
^]


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
GPG Key ID 0x51F9D78D
Fingerprint 2A48 BA18 1851 4C99

CA22 0619 DB63 F2F7 51F9 D78D
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x51F9D78D

sil @ politrix . org    http://www.politrix.org
sil @ infiltrated . net http://www.infiltrated.net

'Men have been taught that it is a virtue to agree with others.
But the creator is the man who disagrees. Men have been taught
that it is a virtue to swim with the current. But the creator
is the man who goes against the current. Men have been taught
that it is a virtue to stand together. But the creator is the
man who stands alone.' -- Ayn Rand"




More information about the NANOG mailing list