AnsweredAssumed Answered

vrf windows message "SHUTDOWN" --- remotely

Question asked by VRFuser on May 9, 2004

Like • Show 0 Likes0
Comment • 8

> it wasn't caused by any virus

Good news!

> as far as i know the only application that was
> running at that time were vee and excel

There's usually a *ton* of stuff running. Press Ctrl+Atl+Del, "t" (to select
Task Manager) and click the "Processes" tab. All that stuff is running.

> only my colleague and i have an access to the reskit
> for NT/win2000 in which the gui for shutdown is found.

Oh heck, you don't need that. Any stock NT can remotely shutdown any NT that
it has any kind of connection with. You won't find a whole lot of people
that know how to do this, but it can be done. The only way to prevent that
is to explicitly disallow remote shutdown with the Local Security Policy.

As for processes that crash... user mode code that crashes cannot hurt the
system. Kernel mode code that crashes can reset the system. Usually you'll
get a BSOD, but that's not guaranteed. Sometimes when kernel mode code
crashes your screen goes dark and then you get your BIOSs' sign on message.
As your computer boots up you're left with slack jaw, wondering what just
happened to that program you've been working on all night. If you didn't hit
Ctrl+S, it's gone!

SICL has occasionally crashed in the past, but I've never personally seen it
reset a machine. I do have a few reports from customers that the machine
reset for no apparent reason. All the logs seem to indicate this is the case
too, so it's not just customers getting grumpy. In the one case of this
behavior that was solved (so far anyway) we replaced an old HPIB card with a
newer Agilent card. The problem hasn't recurred in over two years now.

Which points out another potential possibility: hardware. Malfunctioning
hardware that hits the reset line will indeed reset the computer. Of course
if this is on more than one machine then it probably is some software cause.
-SHAWN-

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".

No one else has this question

Outcomes

8 Replies

enrique.velasco May 7, 2004 3:44 AM
Mark Correct
Correct Answer
hello everybody;

i wouldn't jump into conclusion that VEE might have cause the issue
mentioned above; apparently the only event log at that instance (before or
during) is from VEE (USB); and the details are as follows;

Event ID: 2
First event: 05/07/2004 17:59:00
Last event: 05/07/2004 17:59:00
Source: SICL Log
Type: Information
User: -
Log: Application
Computer: XXXXXXXXXXXX
Description:
ag357i[Pid/Tid=708/1448]: Note, Agilent USB/GPIB, SN[MY43286962], using
IoBufferSize=[65536], TimeoutFloorMsec=[2000], TimeoutUsbFlushMsec=[2000],
TimeoutWrCompleteFlushMsec=[15000]

is this somewhat a bug or something and hopefully its not a virus or
trojan, anyway, all the equipment are "ON" at that moment, while i'm trying
to write some codes... then a POP-UP message saying windows is shutting
down and i have about a minute to save all my work. SWELL!!!!!!!!

though here's the last three(3) events before the above event happened

Event ID: 14
First event: 05/07/2004 17:58:35
Last event: 05/07/2004 17:58:35
Source: Norton AntiVirus
Type: Information
User: -
Log: Application
Computer: XXXXXXXXXXXX
Description:
Norton AntiVirus services startup was successful.

Event ID: 105
First event: 05/07/2004 17:58:25
Last event: 05/07/2004 17:58:25
Source: WMDM PMSP Service
Type: Information
User: -
Log: Application
Computer: XXXXXXXXXXXX
Description:
The service was started.

Event ID: 4097
First event: 05/07/2004 17:58:13
Last event: 05/07/2004 17:58:13
Source: MSDTC
Type: Information
User: -
Log: Application
Computer: XXXXXXXXXXXX
Description:
MS DTC has started.

as I have mentioned above, "not jumping to conclusion" but I need to
further look in this matter for any parasite/s that might have caused this
issue - and also possibly if someone from agilent to verify why the event
occured above.

Regards to all,

Enrique "IKE" Velasco, Jr.
Engineer/IT

Delta Energy Systems (Arizona), Inc.
4400 E. Broadway Blvd., Suite 803, Tucson, AZ, 85715, USA
T +1 520 326 8401, F +1 520 326 8366
M +1 520 370 4537
enrique.velasco@delta-es.com
www.deltaenergysystems.com

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Like • Show 0 Likes0
Actions
VRFuser May 7, 2004 7:03 AM
Mark Correct
Correct Answer
As far as I know nothing about VEE or SICL will shutdown Windows without
your permission. The log entry looks like just a routine shutdown message.
It indicates an orderly shutdown. That is, system components were notified
that the system was shutting down. That means that the shutdown was not
forced.

There are some remote control bots that can shutdown your system. This may
be your problem. On the other hand, any Administrator on your network can
shut down your computer remotely if that privilege is enabled on your
computer. This can happen over a LAN or a WAN. The remote control bots do
not have this restriction because the shutdown request is local.

All you can really do about it is make sure you know what all running
processes are for. Find each executable and account for it. Write a small
monitor that watches for WM_QUERYENDSESSION and WM_ENDSESSION. You can't
trace them back to their originators without great difficulty, but at least
you'll know when the shutdown is initiated. Also you can return FALSE to a
query to stop it.
-SHAWN-

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Like • Show 0 Likes0
Actions
VRFuser May 7, 2004 7:08 AM
Mark Correct
Correct Answer
You know I just did a few experiments and it looks like that's actually
SICLs start up message (just like Norton's below it). Are you sure nothing
is crashing and resetting the computer?
-SHAWN-

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Like • Show 0 Likes0
Actions
halc May 7, 2004 2:55 PM
Mark Correct
Correct Answer
If the computer can get on the internet, it could be one of the latest
worms. If the message has lsass.exe in it you have the Sasser Worm. I just
got rid of it on a friends computer. MS has an update to fix it.

Hal
----- Original Message -----
From: <Enrique.Velasco@delta-es.com>
To: "VRF" <vrf@agilent.com>
Sent: Friday, May 07, 2004 6:44 PM
Subject: [vrf] RE: windows message "SHUTDOWN" <--- remotely

> hello everybody;
>
> i wouldn't jump into conclusion that VEE might have cause the issue
> mentioned above; apparently the only event log at that instance (before or
> during) is from VEE (USB); and the details are as follows;
>
> Event ID: 2
> First event: 05/07/2004 17:59:00
> Last event: 05/07/2004 17:59:00
> Source: SICL Log
> Type: Information
> User: -
> Log: Application
> Computer: XXXXXXXXXXXX
> Description:
> ag357i[Pid/Tid=708/1448]: Note, Agilent USB/GPIB, SN[MY43286962], using
> IoBufferSize=[65536], TimeoutFloorMsec=[2000], TimeoutUsbFlushMsec=[2000],
> TimeoutWrCompleteFlushMsec=[15000]
>
> is this somewhat a bug or something and hopefully its not a virus or
> trojan, anyway, all the equipment are "ON" at that moment, while i'm
trying
> to write some codes... then a POP-UP message saying windows is shutting
> down and i have about a minute to save all my work. SWELL!!!!!!!!
>
> though here's the last three(3) events before the above event happened
>
> Event ID: 14
> First event: 05/07/2004 17:58:35
> Last event: 05/07/2004 17:58:35
> Source: Norton AntiVirus
> Type: Information
> User: -
> Log: Application
> Computer: XXXXXXXXXXXX
> Description:
> Norton AntiVirus services startup was successful.
>
> Event ID: 105
> First event: 05/07/2004 17:58:25
> Last event: 05/07/2004 17:58:25
> Source: WMDM PMSP Service
> Type: Information
> User: -
> Log: Application
> Computer: XXXXXXXXXXXX
> Description:
> The service was started.
>
> Event ID: 4097
> First event: 05/07/2004 17:58:13
> Last event: 05/07/2004 17:58:13
> Source: MSDTC
> Type: Information
> User: -
> Log: Application
> Computer: XXXXXXXXXXXX
> Description:
> MS DTC has started.
>
> as I have mentioned above, "not jumping to conclusion" but I need to
> further look in this matter for any parasite/s that might have caused this
> issue - and also possibly if someone from agilent to verify why the event
> occured above.
>
> Regards to all,
>
>
>
>
> Enrique "IKE" Velasco, Jr.
> Engineer/IT
>
>
>
> Delta Energy Systems (Arizona), Inc.
> 4400 E. Broadway Blvd., Suite 803, Tucson, AZ, 85715, USA
> T +1 520 326 8401, F +1 520 326 8366
> M +1 520 370 4537
> enrique.velasco@delta-es.com
> www.deltaenergysystems.com
>
>
>
>
>
>
> ---
> You are currently subscribed to vrf as: halc@quixnet.net
> To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
> To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
> To send messages to this mailing list, email "vrf@agilent.com".
> If you need help with the mailing list send a message to
"owner-vrf@it.lists.it.agilent.com".
>

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Like • Show 0 Likes0
Actions
evelascojr May 7, 2004 7:34 PM
Mark Correct
Correct Answer
Hello Greg and the VRF,

The machine affected is running win2000 and Hal was probably right. I've
totally forgotten about that recent worm called "sasser". Also, the machine
in question is running under a private network via VPN tunnel from our
corporate office in Europe.

I think I need to check on possible "sasser" infection or any other Trojan
when I get back on Monday... as far a I know when I left the office last
night, I've also checked any occurrence of any event that might have caught
by the server within that time frame and found nothing. But I haven't
checked the security log event on the server side and the machine in
question (reading from the server side also); I'll do that Monday...

Well guys, thanks for any information and insights you've extended regarding
this matter even on weekend, huh?

Regards and have a nice and Happy Mother's day to all MOM out there...

Enrique "IKE" Velasco, Jr.

-----Original Message-----
From: Gregg C Levine [mailto:hansolofalcon@worldnet.att.net]
Sent: Saturday, May 08, 2004 8:13 AM
To: VRF
Subject: [vrf] RE: windows message "SHUTDOWN" <--- remotely

Hello from Gregg C Levine
Hal, one thing you should know, as do we all, (My machines are immune,
but that's a special case.). That worm only affects Windows 2000, and
Windows XP running systems. Therefore the patch only works for those
families of machines. Now the problem related below by our friend Ike,
there, might indeed is caused by the bug, then again it could be any
of a thousand other things. Also a properly configured firewall will
block the bug.

Ike, more information please. Are your affected machines running those
two operating systems? Or all they older units running say NT, or
Windows 98?
-------------------
Gregg C Levine hansolofalcon@worldnet.att.net
------------------------------------------------------------
"The Force will be with you...Always." Obi-Wan Kenobi
"Use the Force, Luke." Obi-Wan Kenobi

> -----Original Message-----
> From: Hal Cornelius [mailto:halc@quixnet.net]
> Sent: Saturday, May 08, 2004 8:55 AM
> To: VRF
> Subject: [vrf] RE: windows message "SHUTDOWN" <--- remotely
>
> If the computer can get on the internet, it could be one of the
latest
> worms. If the message has lsass.exe in it you have the Sasser Worm.
I just
> got rid of it on a friends computer. MS has an update to fix it.
>
> Hal
> ----- Original Message -----
> From: <Enrique.Velasco@delta-es.com>
> To: "VRF" <vrf@agilent.com>
> Sent: Friday, May 07, 2004 6:44 PM
> Subject: [vrf] RE: windows message "SHUTDOWN" <--- remotely
>
>
> > hello everybody;
> >
> > i wouldn't jump into conclusion that VEE might have cause the
issue
> > mentioned above; apparently the only event log at that instance
(before or
> > during) is from VEE (USB); and the details are as follows;
> >
> > Event ID: 2
> > First event: 05/07/2004 17:59:00
> > Last event: 05/07/2004 17:59:00
> > Source: SICL Log
> > Type: Information
> > User: -
> > Log: Application
> > Computer: XXXXXXXXXXXX
> > Description:
> > ag357i[Pid/Tid=708/1448]: Note, Agilent USB/GPIB, SN[MY43286962],
using
> > IoBufferSize=[65536], TimeoutFloorMsec=[2000],
> TimeoutUsbFlushMsec=[2000],
> > TimeoutWrCompleteFlushMsec=[15000]
> >
> > is this somewhat a bug or something and hopefully its not a virus
or
> > trojan, anyway, all the equipment are "ON" at that moment, while
i'm
> trying
> > to write some codes... then a POP-UP message saying windows is
shutting
> > down and i have about a minute to save all my work. SWELL!!!!!!!!
> >
> > though here's the last three(3) events before the above event
happened
> >
> > Event ID: 14
> > First event: 05/07/2004 17:58:35
> > Last event: 05/07/2004 17:58:35
> > Source: Norton AntiVirus
> > Type: Information
> > User: -
> > Log: Application
> > Computer: XXXXXXXXXXXX
> > Description:
> > Norton AntiVirus services startup was successful.
> >
> > Event ID: 105
> > First event: 05/07/2004 17:58:25
> > Last event: 05/07/2004 17:58:25
> > Source: WMDM PMSP Service
> > Type: Information
> > User: -
> > Log: Application
> > Computer: XXXXXXXXXXXX
> > Description:
> > The service was started.
> >
> > Event ID: 4097
> > First event: 05/07/2004 17:58:13
> > Last event: 05/07/2004 17:58:13
> > Source: MSDTC
> > Type: Information
> > User: -
> > Log: Application
> > Computer: XXXXXXXXXXXX
> > Description:
> > MS DTC has started.
> >
> > as I have mentioned above, "not jumping to conclusion" but I need
to
> > further look in this matter for any parasite/s that might have
caused this
> > issue - and also possibly if someone from agilent to verify why
the event
> > occured above.
> >
> > Regards to all,
> >
> >
> >
> >
> > Enrique "IKE" Velasco, Jr.
> > Engineer/IT
> >
> >
> >
> > Delta Energy Systems (Arizona), Inc.
> > 4400 E. Broadway Blvd., Suite 803, Tucson, AZ, 85715, USA
> > T +1 520 326 8401, F +1 520 326 8366
> > M +1 520 370 4537
> > enrique.velasco@delta-es.com
> > www.deltaenergysystems.com
> >
> >
> >
> >
> >
> >
> > ---
> > You are currently subscribed to vrf as: halc@quixnet.net
> > To subscribe send a blank email to
"join-vrf@it.lists.it.agilent.com".
> > To unsubscribe send a blank email to
"leave-vrf@it.lists.it.agilent.com".
> > To send messages to this mailing list, email "vrf@agilent.com".
> > If you need help with the mailing list send a message to
> "owner-vrf@it.lists.it.agilent.com".
> >
>
>
> ---
> You are currently subscribed to vrf as:
hansolofalcon@worldnet.att.net
> To subscribe send a blank email to
"join-vrf@it.lists.it.agilent.com".
> To unsubscribe send a blank email to
"leave-vrf@it.lists.it.agilent.com".
> To send messages to this mailing list, email "vrf@agilent.com".
> If you need help with the mailing list send a message to "owner-
> vrf@it.lists.it.agilent.com".

---
You are currently subscribed to vrf as: evelascojr@cox.net
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to
"owner-vrf@it.lists.it.agilent.com".

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Like • Show 0 Likes0
Actions
hansolofalcon May 7, 2004 8:12 PM
Mark Correct
Correct Answer
Hello from Gregg C Levine
Hal, one thing you should know, as do we all, (My machines are immune,
but that's a special case.). That worm only affects Windows 2000, and
Windows XP running systems. Therefore the patch only works for those
families of machines. Now the problem related below by our friend Ike,
there, might indeed is caused by the bug, then again it could be any
of a thousand other things. Also a properly configured firewall will
block the bug.

Ike, more information please. Are your affected machines running those
two operating systems? Or all they older units running say NT, or
Windows 98?
-------------------
Gregg C Levine hansolofalcon@worldnet.att.net
------------------------------------------------------------
"The Force will be with you...Always." Obi-Wan Kenobi
"Use the Force, Luke." Obi-Wan Kenobi

> -----Original Message-----
> From: Hal Cornelius [mailto:halc@quixnet.net]
> Sent: Saturday, May 08, 2004 8:55 AM
> To: VRF
> Subject: [vrf] RE: windows message "SHUTDOWN" <--- remotely
>
> If the computer can get on the internet, it could be one of the
latest
> worms. If the message has lsass.exe in it you have the Sasser Worm.
I just
> got rid of it on a friends computer. MS has an update to fix it.
>
> Hal
> ----- Original Message -----
> From: <Enrique.Velasco@delta-es.com>
> To: "VRF" <vrf@agilent.com>
> Sent: Friday, May 07, 2004 6:44 PM
> Subject: [vrf] RE: windows message "SHUTDOWN" <--- remotely
>
>
> > hello everybody;
> >
> > i wouldn't jump into conclusion that VEE might have cause the
issue
> > mentioned above; apparently the only event log at that instance
(before or
> > during) is from VEE (USB); and the details are as follows;
> >
> > Event ID: 2
> > First event: 05/07/2004 17:59:00
> > Last event: 05/07/2004 17:59:00
> > Source: SICL Log
> > Type: Information
> > User: -
> > Log: Application
> > Computer: XXXXXXXXXXXX
> > Description:
> > ag357i[Pid/Tid=708/1448]: Note, Agilent USB/GPIB, SN[MY43286962],
using
> > IoBufferSize=[65536], TimeoutFloorMsec=[2000],
> TimeoutUsbFlushMsec=[2000],
> > TimeoutWrCompleteFlushMsec=[15000]
> >
> > is this somewhat a bug or something and hopefully its not a virus
or
> > trojan, anyway, all the equipment are "ON" at that moment, while
i'm
> trying
> > to write some codes... then a POP-UP message saying windows is
shutting
> > down and i have about a minute to save all my work. SWELL!!!!!!!!
> >
> > though here's the last three(3) events before the above event
happened
> >
> > Event ID: 14
> > First event: 05/07/2004 17:58:35
> > Last event: 05/07/2004 17:58:35
> > Source: Norton AntiVirus
> > Type: Information
> > User: -
> > Log: Application
> > Computer: XXXXXXXXXXXX
> > Description:
> > Norton AntiVirus services startup was successful.
> >
> > Event ID: 105
> > First event: 05/07/2004 17:58:25
> > Last event: 05/07/2004 17:58:25
> > Source: WMDM PMSP Service
> > Type: Information
> > User: -
> > Log: Application
> > Computer: XXXXXXXXXXXX
> > Description:
> > The service was started.
> >
> > Event ID: 4097
> > First event: 05/07/2004 17:58:13
> > Last event: 05/07/2004 17:58:13
> > Source: MSDTC
> > Type: Information
> > User: -
> > Log: Application
> > Computer: XXXXXXXXXXXX
> > Description:
> > MS DTC has started.
> >
> > as I have mentioned above, "not jumping to conclusion" but I need
to
> > further look in this matter for any parasite/s that might have
caused this
> > issue - and also possibly if someone from agilent to verify why
the event
> > occured above.
> >
> > Regards to all,
> >
> >
> >
> >
> > Enrique "IKE" Velasco, Jr.
> > Engineer/IT
> >
> >
> >
> > Delta Energy Systems (Arizona), Inc.
> > 4400 E. Broadway Blvd., Suite 803, Tucson, AZ, 85715, USA
> > T +1 520 326 8401, F +1 520 326 8366
> > M +1 520 370 4537
> > enrique.velasco@delta-es.com
> > www.deltaenergysystems.com
> >
> >
> >
> >
> >
> >
> > ---
> > You are currently subscribed to vrf as: halc@quixnet.net
> > To subscribe send a blank email to
"join-vrf@it.lists.it.agilent.com".
> > To unsubscribe send a blank email to
"leave-vrf@it.lists.it.agilent.com".
> > To send messages to this mailing list, email "vrf@agilent.com".
> > If you need help with the mailing list send a message to
> "owner-vrf@it.lists.it.agilent.com".
> >
>
>
> ---
> You are currently subscribed to vrf as:
hansolofalcon@worldnet.att.net
> To subscribe send a blank email to
"join-vrf@it.lists.it.agilent.com".
> To unsubscribe send a blank email to
"leave-vrf@it.lists.it.agilent.com".
> To send messages to this mailing list, email "vrf@agilent.com".
> If you need help with the mailing list send a message to "owner-
> vrf@it.lists.it.agilent.com".

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Like • Show 0 Likes0
Actions
VRFuser May 7, 2004 9:36 PM
Mark Correct
Correct Answer
> I've totally forgotten about that recent worm called "sasser".

If you run a firewall you're probably ok. Sasser will probably cause your
machine to reboot though, and a LSASS.EXE crash message is not guaranteed.

Sasser uses TCP port 445 to test for vulnerable computers. It uses TCP ports
9996 and 5554 to ftp a file ending in "_up.exe" to your computer.

Check for a file called c:win2.log. If this file exists the worm has
executed and tried to infect other computers. The IP address of the computer
it tried to infect will be listed, as well as the number of infected
computers.

It will ignore IP addresses 192.168.x.x so your private network is probably
ok. This is pretty much an internet only problem.

More info is at:

http://www.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html

-SHAWN-

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Like • Show 0 Likes0
Actions
enrique.velasco May 9, 2004 6:45 PM
Mark Correct
Correct Answer

Hello everybody;

Finally - i am much relieved regarding the issue that i experienced last
friday afternoon, well fortunately, it wasn't caused by any virus -
particularly the "sasser" virus.... i've checked all the traces of files
metioned from the link
http://www.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html and so
far no traces of each file/s mentioned were found. no traces of the file
win2.log, avserver2.exe, or any ?????_up.exe files were found. that leaves
me no option/s on how i can isolate any possible application (especially
VEE - software or hardware wise) to be out of the equation.

going back to one question from shawn;

>You know I just did a few experiments and it looks like that's actually
>SICLs start up message (just like Norton's below it). Are you sure nothing
>is crashing and resetting the computer?
>-SHAWN-

as far as i know the only application that was running at that time were
vee and excel...and i know excel would definitely be catch by the event -
if ever there was an anomaly.

as far as resetting the workstation; only my colleague and i have an access
to the reskit for NT/win2000 in which the gui for shutdown is found. and he
was out at that day including the day before friday. furthermore, only my
colleague and i have the access to install any application within any
workstation on our group - if ever anyone from our group tried to download
any remote software capable of resetting any workstation with our network.

anyway, i can check all workstation here in our group for any remote
control bots or any gui that might be running that i wasn't aware of...

to VEE or not VEE - that is the question...

regards,

Enrique "IKE" Velasco, Jr.
Engineer/IT

Delta Energy Systems (Arizona), Inc.
4400 E. Broadway Blvd., Suite 803, Tucson, AZ, 85715, USA
T +1 520 326 8401, F +1 520 326 8366
M +1 520 370 4537
enrique.velasco@delta-es.com
www.deltaenergysystems.com


                    Shawn
                    Fessenden            To:     VRF <vrf@agilent.com>@SMTP@exchangedeltabe
                    <shawn@testec        cc:
                    h-ltd.com>           Subject:     [vrf] RE: windows message "SHUTDOWN" <--- remotely

                    05/08/2004
                    10:36 AM
                    Please
                    respond to
                    Shawn
                    Fessenden
                    <shawn@testec
                    h-ltd.com>



> I've totally forgotten about that recent worm called "sasser".

If you run a firewall you're probably ok. Sasser will probably cause your
machine to reboot though, and a LSASS.EXE crash message is not guaranteed.

Sasser uses TCP port 445 to test for vulnerable computers. It uses TCP
ports
9996 and 5554 to ftp a file ending in "_up.exe" to your computer.

Check for a file called c:win2.log. If this file exists the worm has
executed and tried to infect other computers. The IP address of the
computer
it tried to infect will be listed, as well as the number of infected
computers.

It will ignore IP addresses 192.168.x.x so your private network is probably
ok. This is pretty much an internet only problem.

More info is at:

http://www.symantec.com/avcenter/venc/data/w32.sasser.c.worm.html

-SHAWN-

---
You are currently subscribed to vrf as: enrique.velasco@delta-es.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to
"owner-vrf@it.lists.it.agilent.com".

---
You are currently subscribed to vrf as: rsb@soco.agilent.com
To subscribe send a blank email to "join-vrf@it.lists.it.agilent.com".
To unsubscribe send a blank email to "leave-vrf@it.lists.it.agilent.com".
To send messages to this mailing list, email "vrf@agilent.com".
If you need help with the mailing list send a message to "owner-vrf@it.lists.it.agilent.com".
Like • Show 0 Likes0
Actions

vrf windows message "SHUTDOWN" --- remotely

Outcomes

Related Content

Recommended Content