Our entire network is being infected by a worm. Windows 2000 machines, with less than SP4, and Windows XP without SP2, seem to be vulnerable. On the win2000 machine I get the following message; 'C:\WINNT\system32\lsass.exe terminated unexpectedly with status code 128. The system will now shutdown and restart.' This is accompanied by a countdown of about 60 seconds, afterwhich the system restarts. This occurs every 5-10 minutes.

XP machines dont show the same message, and dont restart, but instead the virus scanner - VET - says the following; 'Vet File Monitor has found that C:\WINDOWS\system32\ftpupd.exe is Win32.korgo.AB worm

I have run a couple of tools I got from symantec - Fxsasser.exe and Fixkorgo.exe , but neither of these has had any affect. I've googled the problem, but have not really found anything particularly useful.

To top things off, our system administrator is currently in Adelaide, and I am just filling in.

I am not even sure if these are both the same thing, or if its just coinicidence that they popped up at the same time.

Any suggestions would be greatly appreciated.

Dude you need to run the following MS update ms04-011 to stop the reboot occurring.

Then follow the removal options form here http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.ab.html.
To download ms04-011 go to this link

Win 2000 http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

WinXp: http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

If you do not patch all machines on your network they will continue to infect other machines and cause so much network traffic.
Good luck

Thanks for the response. We've been slack in keeping our machines patched, due to major system overhaul due in coming weeks / months, I've been patching all the machines already, and this has helped, next step I'll go about removing the damn thing.