new virus? bebmekht.exe

From: "mike Irvine" <***@doe.com>

| I've sasser worm like problems and now zone alarm antivirus+firewall has
| solved the problem.
|
| I was getting errors like svchost.exe and lsass.exe has caused an error and
| needs to be shut
| down. my computer was grinding to a holt and I couldn't perform any
| upgrades. My computer
| was working fine until about 2 days ago when I connected to the internet and
| started to have
| the above probems.
|
| now Zone alarm firewall and antivirus has blocked one program called
| bebmekht.exe
| and the problems have gone away and I'm now able to workwith and upgrade my
| computer. I haven't see anything on the internet about
| bebmekht.exe mayby it's a new one.
|
| a virus scan turned up no results.
|

If it was Sasser like then it would be an Internet worm using TCP port 445 attempting to
exploit a buffer overflow condition in the LSASS module of the OS. Such an attmpt will
generate the following 60 sec. shutdown message...

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819

or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819

{ NOTE: The above can be generated internally and NOT be I-worm generated as well }

You say you have a FireWall. If your FireWall was up and working correctly then the
Internet worm could not try an exploit attempt through TCP port 445 as the FireWall should
have blocked any such attempt.

You say "Zone alarm firewall and antivirus has blocked one program called bebmekht.exe" and
the problem stopped. Then the infector was laready IN the PC and not on the Internet trying
to get through to your PC.

The question then is what is the OS and Service Pack level.

Microsoft's LSASS vulnerability patch.
WinXP KB835732
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

Win2K KB835732
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

mike Irvine

2007-02-28 01:33:03 UTC

windows 2000 no upgrades or service packs(fresh install formated drive)
as soon as installed my pcmcia inet card I started having problems
like lsass.exe has caused an error

Post by David H. Lipman
| I've sasser worm like problems and now zone alarm antivirus+firewall has
| solved the problem.
|
| I was getting errors like svchost.exe and lsass.exe has caused an error and
| needs to be shut
| down. my computer was grinding to a holt and I couldn't perform any
| upgrades. My computer
| was working fine until about 2 days ago when I connected to the internet and
| started to have
| the above probems.
|
| now Zone alarm firewall and antivirus has blocked one program called
| bebmekht.exe
| and the problems have gone away and I'm now able to workwith and upgrade my
| computer. I haven't see anything on the internet about
| bebmekht.exe mayby it's a new one.
|
| a virus scan turned up no results.
|
If it was Sasser like then it would be an Internet worm using TCP port 445 attempting to
exploit a buffer overflow condition in the LSASS module of the OS. Such an attmpt will
generate the following 60 sec. shutdown message...
NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code -1073741819
or
NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code -1073741819
{ NOTE: The above can be generated internally and NOT be I-worm generated as well }
You say you have a FireWall. If your FireWall was up and working correctly then the
Internet worm could not try an exploit attempt through TCP port 445 as the FireWall should
have blocked any such attempt.
You say "Zone alarm firewall and antivirus has blocked one program called bebmekht.exe" and
the problem stopped. Then the infector was laready IN the PC and not on the Internet trying
to get through to your PC.
The question then is what is the OS and Service Pack level.
Microsoft's LSASS vulnerability patch.
WinXP KB835732

http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-
A4F1-AF243B6168F3&displaylang=en

Post by David H. Lipman
Win2K KB835732

http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-
B3EB-D2342FBB6C00&displaylang=en

Post by David H. Lipman
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Virus Guy

2007-02-28 01:43:31 UTC

Post by mike Irvine
windows 2000 no upgrades or service packs(fresh install formated
drive) as soon as installed my pcmcia inet card I started having
problems like lsass.exe has caused an error

I'm sure many here are shaking their head.

You obviously so not have a NAT-router between your computer and your
modem.

Do a google search for internet survival time.

Ayatollah Yootweiss Al-Reddi

2007-02-28 09:19:50 UTC

Post by Virus Guy

Post by mike Irvine
windows 2000 no upgrades or service packs(fresh install formated
drive) as soon as installed my pcmcia inet card I started having
problems like lsass.exe has caused an error

I'm sure many here are shaking their head.
You obviously so not have a NAT-router between your computer and your
modem.
Do a google search for internet survival time.

Interestingly, my boss set up an XP+SP2 but no other patches
box, no firewall, no antivirus - and nothing happened. For over
a week.
OK, it was a virtual Winbox on his Linux machine, and maybe
it's on a bit of our network where direct intrusion just
doesn't reach, but, well, we were surprised.

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Leythos

2007-02-28 12:40:48 UTC

Post by Ayatollah Yootweiss Al-Reddi
OK, it was a virtual Winbox on his Linux machine, and maybe
it's on a bit of our network where direct intrusion just
doesn't reach, but, well, we were surprised.

LOL, so you have a protected machine running an unprotected OS, where
the bad guys can't get to it and you're Surprised?

--
***@rrohio.com
remove 999 in order to email me

Ayatollah Yootweiss Al-Reddi

2007-02-28 13:47:59 UTC

LOL, so you have a protected machine running an unprotected OS, where
the bad guys can't get to it and you're Surprised?

As far as our LAN sees it, it /ought/ to look just like a
Winbox. If my boss set it up right.

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Leythos

2007-02-28 16:33:14 UTC

LOL, so you have a protected machine running an unprotected OS, where
the bad guys can't get to it and you're Surprised?

As far as our LAN sees it, it /ought/ to look just like a
Winbox. If my boss set it up right.

Um, no, if your LAN is setup right, nothing will reach the Win box from
the WAN that isn't approved.

--
***@rrohio.com
remove 999 in order to email me

Ayatollah Yootweiss Al-Reddi

2007-03-01 09:18:47 UTC

Post by Leythos
Um, no, if your LAN is setup right, nothing will reach the Win box from
the WAN that isn't approved.

The less I say in a public forum about the shortcomings of our
network setup, the better!

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Leythos

2007-03-01 11:27:49 UTC

Post by Leythos
Um, no, if your LAN is setup right, nothing will reach the Win box from
the WAN that isn't approved.

The less I say in a public forum about the shortcomings of our
network setup, the better!

The point was that if the LAN is setup properly, even if just a NAT, the
Windows box, even without any protection, would not be attacked from the
internet. So, if setup properly, your statement about the Windows box not
being compromised would be meaningless, since it could not be reached
anyway.
--
Want to know what PCBUTTS1 is really about?
*** WARNING - these links contain foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/rlk/rlk.htm ,
http://www.pcbutts1.com/license.htm ,
http://www.pcbutts1.com/downloads/max.htm ,
http://www.pcbutts1.com/downloads/mpv.htm ,
http://www.pcbutts1.com/downloads/wtcpcb.htm ,
http://www.pcbutts1.com/cracks.htm ,
http://www.pcbutts1.com/Loutheasshole.htm
All while spamming his company website at: http://www.seedsv.com

Ayatollah Yootweiss Al-Reddi

2007-03-01 12:19:51 UTC

Post by Leythos
Um, no, if your LAN is setup right, nothing will reach the Win box from
the WAN that isn't approved.

The less I say in a public forum about the shortcomings of our
network setup, the better!

The point was that if the LAN is setup properly, even if just a NAT,

You can't hang 100,000 machines, some of them mainframes, off a
small NAT box from PCWorld.
As I said, the less I say the better, from this point on.
Except, maybe: Give my boss the money for the security kit we
need!

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Leythos

2007-03-01 12:14:29 UTC

Post by Leythos
Um, no, if your LAN is setup right, nothing will reach the Win box from
the WAN that isn't approved.

The less I say in a public forum about the shortcomings of our
network setup, the better!

The point was that if the LAN is setup properly, even if just a NAT,

If you were in a network with 100,000 machines, you would not be talking
about a "small NAT box", you would be talking about a Firewall and routers
that implement NAT, and your network would be broken up into segments
smaller than 100,000 nodes.

So, do you have 100,000 machines?

If you do, I would bet that each of this is NOT assigned a public IP
address, that you are using some form of NAT already, and that even a
simple NAT could provide better protection than what you appear to think.

--
Want to know what PCBUTTS1 is really about?
*** WARNING - these links contain foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/rlk/rlk.htm ,
http://www.pcbutts1.com/license.htm ,
http://www.pcbutts1.com/downloads/max.htm ,
http://www.pcbutts1.com/downloads/mpv.htm ,
http://www.pcbutts1.com/downloads/wtcpcb.htm ,
http://www.pcbutts1.com/cracks.htm ,
http://www.pcbutts1.com/Loutheasshole.htm
All while spamming his company website at: http://www.seedsv.com

Ayatollah Yootweiss Al-Reddi

2007-03-01 12:51:12 UTC

Post by Leythos
If you were in a network with 100,000 machines, you would not be talking
about a "small NAT box",

I'm not, I thought you might be.

you would be talking about a Firewall and routers

Post by Leythos
that implement NAT, and your network would be broken up into segments
smaller than 100,000 nodes.

Many VLANs

Post by Leythos
So, do you have 100,000 machines?

[thinks]
If every student and every staff member had a desktop machine,
add in the clusters and the business systems and the web farm
and the *nix bixes and the SGI Onyx300...
Prolly not 100,000, but well over 50,000.

Post by Leythos
If you do, I would bet that each of this is NOT assigned a public IP
address, that you are using some form of NAT already, and that even a
simple NAT could provide better protection than what you appear to think.

Some's NAT'd. Not much though. Things are tight in UK
Universities: there's money for kit to make it _work_, but
apart from the business systems, anything else is a luxury,
right up until it's proven by some exploit costing us money to
be more cost-effective to do it right.

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Leythos

2007-03-01 12:55:33 UTC

Post by Leythos
If you were in a network with 100,000 machines, you would not be talking
about a "small NAT box",

I'm not, I thought you might be.
you would be talking about a Firewall and routers

Post by Leythos
that implement NAT, and your network would be broken up into segments
smaller than 100,000 nodes.

Many VLANs

Post by Leythos
So, do you have 100,000 machines?

I've seen this in American medical operations - public IP's on every
machine, most still behind a firewall solution, but using a public IP
instead of NAT.

With 50K machines, vlan or not, I would segment the network and build a
firewall setup, using spare unix based computers, and implement after a
extensive study - my guess is that the ROI would be covered by lower
maintenance costs in less than 1 year.

--
Want to know what PCBUTTS1 is really about?
*** WARNING - these links contain foul/pornographic content of an
abusive nature created by PCBUTTS1 and still hosted on his public
website ***
http://www.pcbutts1.com/rlk/rlk.htm ,
http://www.pcbutts1.com/license.htm ,
http://www.pcbutts1.com/downloads/max.htm ,
http://www.pcbutts1.com/downloads/mpv.htm ,
http://www.pcbutts1.com/downloads/wtcpcb.htm ,
http://www.pcbutts1.com/cracks.htm ,
http://www.pcbutts1.com/Loutheasshole.htm
All while spamming his company website at: http://www.seedsv.com

Ayatollah Yootweiss Al-Reddi

2007-03-01 13:17:49 UTC

Post by Leythos
I've seen this in American medical operations - public IP's on every
machine, most still behind a firewall solution, but using a public IP
instead of NAT.

Sounds like our place. Some of the people claim to need public
IP for stuff they run, but the mass could be NAT'd tomorrow
with no loss of functionality.

Post by Leythos
With 50K machines, vlan or not, I would segment the network and build a
firewall setup, using spare unix based computers, and implement after a
extensive study - my guess is that the ROI would be covered by lower
maintenance costs in less than 1 year.

I dunno how much physical segmenting of the network there is,
but I know there's some. I don't get into that area, I deal
almost exclusively with desktops.

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

Dustin Cook

2007-03-01 23:23:21 UTC

Post by Leythos
Um, no, if your LAN is setup right, nothing will reach the Win box from
the WAN that isn't approved.

The less I say in a public forum about the shortcomings of our
network setup, the better!

You missed what leythos was saying, obviously.

--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - V2.2
web: http://bughunter.it-mate.co.uk - email:
***@gmail.com.removethis
Pad: http://bughunter.it-mate.co.uk/pad.xml

Virus Guy

2007-02-28 14:02:41 UTC

Post by Virus Guy
Do a google search for internet survival time.

Interestingly, my boss set up an XP+SP2 but no other patches
box, no firewall, no antivirus - and nothing happened. For over
a week.

SP2 was supposed to fix the 5 (or so) direct network vulnerabilities.
Are you saying that nothing happened for the week that you left the
machine in that state, or that something did get in and infect the
machine but it took a week to happen?

Ayatollah Yootweiss Al-Reddi

2007-02-28 15:45:39 UTC

Post by Virus Guy

Post by Virus Guy
Do a google search for internet survival time.

Interestingly, my boss set up an XP+SP2 but no other patches
box, no firewall, no antivirus - and nothing happened. For over
a week.

Nothing happened for a week, we took it off.
There was some stuff out in the Halls that we hoped would get
in, because we wanted a sample and the Halls staff were just
doing wipe/re-install, but something in one of the boxes
between them and the VLAN we used probably blocked it.

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may

David H. Lipman

2007-02-28 02:10:06 UTC

From: "mike Irvine" <***@doe.com>

| windows 2000 no upgrades or service packs(fresh install formated drive)
| as soon as installed my pcmcia inet card I started having problems
| like lsass.exe has caused an error

The Sasser worm is pretty much dead. However, the exploitation of the LSASS buffer overflow
condition via TCP port 445 and the the exploitation of the RPC/RPCSS DCOM buffer overflow
condition via TCP port 135 have been adapted and are used by numerour Internet BOTs. SDBot,
AGOBot, RBot, etc...

It only takes seconds to a couple of minutes for another infected computer to send out the
neccessary packets to infect an unprotected computer.

Virus Guy is correct. My haed was shaking upon reading your reply.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

mike Irvine

2007-02-28 06:03:06 UTC

the fact still remains I have an infected computer and my only antivirus
option doesn't
seem to pick up the problem.
I don't think norten antivirus is available for win2k
at least I can surf

Post by David H. Lipman
| windows 2000 no upgrades or service packs(fresh install formated drive)
| as soon as installed my pcmcia inet card I started having problems
| like lsass.exe has caused an error
The Sasser worm is pretty much dead. However, the exploitation of the LSASS buffer overflow
condition via TCP port 445 and the the exploitation of the RPC/RPCSS DCOM buffer overflow
condition via TCP port 135 have been adapted and are used by numerour Internet BOTs. SDBot,
AGOBot, RBot, etc...
It only takes seconds to a couple of minutes for another infected computer to send out the
neccessary packets to infect an unprotected computer.
Virus Guy is correct. My haed was shaking upon reading your reply.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Gabriele Neukam

2007-02-28 10:44:55 UTC

Post by mike Irvine
at least I can surf

(bangs head on keyboard)

Don't you understand? As long as you are online, the malware will send
out attacks on other computers, to infect them, too.

You are currently Typhoid Mary. Remove your machine from the net AT
ONCE, wipe it, install W2K AND get the service pack 6 upwards, install
that one WHILE STILL OFF LINE. Only then you can get back onto the net,
BUT NOT EARLIER.

Gabriele Neukam

***@t-online.de

--
Often those who most loudly proclaim their freedom to choose in some
fields are the most retentive about 'correcting' others' choices in
other fields.
(Brian Brunner in alt.games.diablo2)

Art

2007-02-28 11:42:21 UTC

On Wed, 28 Feb 2007 11:44:55 +0100, Gabriele Neukam

Post by Gabriele Neukam

Post by mike Irvine
at least I can surf

(bangs head on keyboard)
Don't you understand? As long as you are online, the malware will send
out attacks on other computers, to infect them, too.
You are currently Typhoid Mary. Remove your machine from the net AT
ONCE, wipe it, install W2K AND get the service pack 6 upwards, install
that one WHILE STILL OFF LINE. Only then you can get back onto the net,
BUT NOT EARLIER.

Acrually, he's between a rock and a hard place since he shouldn't be
going on line at all with fresh install of W2K unless he first
purchases a external firewall/router. That's why I wrote my article
(see my web site) named CLOSING PORTS ON WINDOWS 2000. However,
noobs are incapable of following such instructions involving editing
the registry. He can't download utils to do it, or even a software
firewall since he shouldn't be on line even that long. So he's stuck
undless he purchases a hardware appliance to block unsolicited
incoming.

One not-so-good approach under the circumstances would be to
put off the wipe/reinstall long enough to download a free personal
firewall and copy the install file to CD. Then do the wipe/reinstall.
Before going on line, install the personal firewall. Then use MS
update to download/install sp4 plus the rollup plus all the hotfixes.
But obviously, it would be best to wipe/reinstall and don't go
on line to update Win 2K without the external fw/router appliance.
Either that or get help from the comouter whiz kid next door to
do the internet port closing as in my article.

Art
http://home.epix.net/~artnpeg

mike Irvine

2007-02-28 01:35:12 UTC