(no subject)

Monday, 21 November 2005 08:45
pne: A picture of a plush toy, halfway between a duck and a platypus, with a green body and a yellow bill and feet. (Default)
[personal profile] pne

Started the computer and got a dialog box (before even the login screen appeared): "lsass.exe - Systemfehler. Ein ungültiges HANDLE wurde angegeben." (system error - an invalid HANDLE was specified).

Oops, thought I. Sasser worm? Got through my firewall?

After I clicked OK, the computer rebooted—and appeared to act fine so far. Hit Wikipedia for the article, which indicated that the Sasser worm usually leaves a file C:\WIN.LOG or C:\WIN2.LOG, neither of which I had. Downloaded Stinger and ran that.

Stopped it when it ran into the tarpit that is 42.zip (a carefully crafted recursive ZIP of ZIPs that, if you were to unfold it completely, would run into zillions of bytes to scan); removed the bit to check in archives and re-started it. (Nothing so far, but it's still running.)

I'll have to think what to do about that file. Maybe password-protect it or something; it's always a bit annoying when some scanner decides to walk through it, because that takes forever.

Also googled for the error message (in German, since that's all I had) and found a few support forums where people had posted with that same error, asking for advice. Those forums appeared to consist mostly of the blind leading the blind—people saying "lsass.exe is the Sasser worm! Remove it!" and the like. And a couple of people saying that the only thing that had helped them was a repair installation of WinXP, which sounded more plausible but isn't something I'd like to do, especially since all I have is a recovery CD and I can imagine it doesn't have a "repair install" option but will return the system to its initial state—sans pne's files. Whoop.

(That reminds me—ought to back up some of my files sometime. *cough* I'm still waiting for empty DVDs to use for that; backing up to CDs would just need way too many.)

Flat | Top-Level Comments Only

Date: Monday, 21 November 2005 14:14 (UTC)
From: [identity profile] bluewingedcat.livejournal.com
www.trendmicro.com

Very excellent site where you can virus scan your computer online. always up to date, etc.

Date: Monday, 21 November 2005 16:50 (UTC)
From: [identity profile] n-true.livejournal.com
What exactly is that 42.zip? Never heard of it...

Date: Monday, 21 November 2005 17:16 (UTC)
ext_78: A picture of a plush animal. It looks a bit like a cross between a duck and a platypus. (Default)
From: [identity profile] pne.livejournal.com
A funny little thing to annoy things that scan inside of ZIP files (e.g. firewalls, FTP proxies, virus scanners etc.).

I don't know how they did it -- probably some hand-hacking of the binary ZIP file format so that multiple ZIP directory entries point to the same bit of compressed data -- but it appears to contain 16 "library" ZIP files, each of which contains 16 "document" ZIP files, each of which contains 16 "chapter" ZIP files, each of which contains a huge DLL. (Or something like that.)

But in all, it's pretty small.

Date: Monday, 21 November 2005 23:07 (UTC)
From: [identity profile] allegrox.livejournal.com
Speaking of too many CDs, my music alone would take 15. Even DVDs are too small. (That said, I have most of it backed up on seven CDs and one DVD.)

But I haven't heard much of Sasser for a while.
Flat | Top-Level Comments Only

Profile

pne: A picture of a plush toy, halfway between a duck and a platypus, with a green body and a yellow bill and feet. (Default)
Philip Newton

June 2015

S M T W T F S
 12 3456
78910111213
14151617181920
2122232425 2627
282930    

Most Popular Tags

Page Summary

Active Entries

Style Credit

Expand Cut Tags

No cut tags
Page generated Thursday, 1 January 2026 13:13
Powered by Dreamwidth Studios