LSASS Exploit (EXP) attack, from 213dot219dot106dot40:445

Viruses and worms
1

My pc infected by Win32:VB-ERV [Trj], got rid of it but still got attacked from warning 'bout attacked from (213dot219dot106dot40:445) So can anybody help me…?

2

What found the attack ?
I would have though that this exploit would have been handled by network Shield (in which case it wouldn’t have got on to your system) if not by your firewall, which is ?

What is the infected file name (if found on your system), where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. This applies to all detections on your system or Internet IP address.

3

Sorry coz took me too much time to reply. Comodo firewall pick it up then avast! blocked it. The attacked happened while I’m installing Flash Player (really sure 'bout this coz it happened twice). Got warning from avast! bout infection by Win32:VB-ERV [Trj] in flash.10.exe and scanner.exe in system32. Not really remember other coz formatting my hd couple of time this week (not because of virus but just changing my motherboard). avast! warning section stated the attacked origin from that ip.

4

That is fine that is what your firewall should do block unwelcome attacks. What to do about it nothing ignore it as you won’t stop speculative attacks on your system. Even though your OS is fully up to date and not vulnerable to a lsass exploit attack .

What concerns me is if Comodo blocked why (and what) avast alerted on it, the firewall shouldn’t have let it pass. This is why I asked for the information from the avast log viewer ?
I would have thought that only the Network Shield would possibly intercept, but the firewall should have stopped even that.

5

DavidR, I’m still curious 'bout this. Frankly, I’m totally have no idea 'bout LSASS exploit thing. Still got that alert from avast! as you can see in my latest network shiled log below…

30.08.2007 22:27:10 LSASS Exploit (SXP) attack, from 60.53.49.133:445 08.10.2007 23:59:43 LSASS Exploit (SXP) attack, from 60.50.252.249:445 09.10.2007 01:20:58 LSASS Exploit (SXP) attack, from 60.50.194.222:445 10.10.2007 02:53:16 DCOM Exploit attack, from 202.188.50.69:135

The last 3 lines I’ve got the alert while my firewall is off cause I’ve to shutdown it when plays online game or I’ll face terrible lagging. What should I do then when I received the alert?

6

Hi MeDIeVaL,

TCP Port 445
Common Use

Microsoft-DS Service is used for resource sharing on Windows 2000, XP, 2003, and other samba based connections.  This is the port that is used to connect file shares for example.

Inbound Traffic

Inbound scans are typically systems which are trying to connect to file shares that might be available on your system and hence these should be blocked.  While most of this traffic is the result of worms or viruses which can use open file shares to propagate, they also can be the result of malicious users attempt to connect to your computer.  Once connected they can download, upload or even delete or edit files on the connected file share.  If you use open file shares (including sharing of printers, etc) on your local network (LAN), then you should be using a firewall such that your local file shares are not accessible from the internet.  Connecting to open file shares is likely the easiest and most common hack on the internet and yet one of the most effective for malicious activities like identity theft or installing RATs (Remote Access Trojans) to take control of systems remotely for example.

Lately TCP Port 445 has become the target of LSASS exploiting worms like Sasser and Korgo.

Outbound Traffic

Outbound scans if occurring in volume should be considered an indication of a possible worm infection on the source computer and should be investigated.  If there are systems to which you remotely connect to, then those systems should be marked as trusted IPs within Link Logger such that future authorized events will be logged as normal traffic.

polonus

7

{Sigh} I’m connected to internet through DSL so I don’t have any LAN, right? Then I never used file or printer sharing and I don’t even have any P2P application in my computer so is there any reason why I had this attack alert? How 'bout DCOM Exploit? Is it the same as LSASS Exploit? In case the source computer (it’s the internet service provider, right?) had been infected, so what should I do then?

8

The lsass exploit is as it implies trying to take advantage of an exploit that was long ago patched by MS (the same is true for the DCOM exploit) so if your OS is up to date then your system isn’t vulnerable to the exploit. That doesn’t stop people from trying as they have absolutely no way of knowing if the system they are trying to attack is up to date.

So the attacks are speculative in the hope they find a system that isn’t up to date and vulnerable, these attacks are probably random IP address attacks, but not having your firewall running means your system isn’t stealthed, so any ping to that random IP would result in a response so may then come in for more attention. Fortunately the network shield is doing its job of protecting against common routes of entry for viruses and worms.

So playing on-line games with your firewall disabled is a risk.

9

Thanx DavidR & polonus… learn new thing today. Very appreciate it…

10

Your welcome.