LSASS.exe and associated virus?!?!? 1

[ADoozer]

can anybody tell me exactly what LSASS.exe is and if there are any known Virii associated with it.

Norton on my friends machine has lately (in the last week) started reporting that LSASS.exe is trying to access the internet and subsequently blocking it.

ive googled and come across some articles(below) but am unsure what to make of it!

http://www.liutilities.com/products/wintaskspro/processlibrary/lsass/

http://support.microsoft.com/?kbid=308356

http://seclists.org/lists/incidents/2002/Sep/0113.html

any help appreciated

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------

http://www.climateprediction.net/index.php

come on... get involved!
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

 

[ADoozer]

and just to add! the AV is up to date!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------

http://www.climateprediction.net/index.php

come on... get involved!
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

 

[Xemus]

laass.exe is not a virus and does not get infected with any (currently) known viruses. It will be detected as attempting to connect by any outward-monitoring firewall. Just be aware of what it is trying to connect to, tho it will most likely be Microsoft. Why a Local security policy needs to access remote servers, I'm not sure, but someone can probably answer that.
Just make sure you have the latest Windows Updates, and that your AV is updated and scans regularly.

http://www.closedsocket.com

 

[ADoozer]

Xemus: thnx! was just concerned because of one of the articles i read (Security Incidents: new IIS worm? (rcp lsass.exe))

below is the hijackthis log, it looks ok but if anyone sees anything suspect please let me know.

Logfile of HijackThis v1.97.3
Scan saved at 19:02:38, on 27/11/2003
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\TrayIcon.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\WINNT\system32\msmsgri32.exe
C:\WINNT\System32\svchost.exe
C:\winnt\debug\usermode\setup\windows\msdos\catroot\microsoft\windows\system32\rsa\crypto\machinekeys\bootup\mouse\lsass.exe
C:\WINNT\system32\ctfmon.exe
C:\Tbridge\Flatbed.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\norman1.NORMAN\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.ntlworld.com/

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINNT\System32\TrayIcon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [System Initialization] C:\WINNT\system32\msmsgri32.exe
O4 - HKLM\..\Run: [lsass] c:\winnt\debug\usermode\setup\windows\msdos\catroot\microsoft\windows\system32\rsa\crypto\machinekeys\bootup\mouse\lsass.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Detector.lnk = C:\Tbridge\Flatbed.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -

http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) -

http://gamingzone.ubisoft.com/dev/packages/GSManager.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37840.1356944444

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://active.macromedia.com/flash2/cabs/swflash.cab

thnx!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------

http://www.climateprediction.net/index.php

come on... get involved!
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

 

[SYAR2003]

Theese look a bit strange to menever seen path's like this)

Possible : Backdoor.IRC.Aladinz.E

Goto:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.aladinz.e.html

C:\winnt\debug\usermode\setup\windows\msdos\catroot\microsoft\windows\system32\rsa\crypto\machinekeys\bootup\mouse\lsass.exe
O4 - HKLM\..\Run: [lsass] c:\winnt\debug\usermode\setup\windows\msdos\catroot\microsoft\windows\system32\rsa\crypto\machinekeys\bootup\mouse\lsass.exe

 

[nhidalgo]

i believe "lsass.exe" has to due with licenceing and active directory schema.

Nick

 

[SYAR2003]

nhidalgo !

It's a fake file .(the one in the fake directory)
Created by the trojan and hidden away
in that riddicolous path.

The real one
c:\windows\system32\lsass.exe (size 12kb)
and
C:\WINDOWS\system32\dllcache\lsass.exe (size 12kb)
Description: The Windows Local Security Authority Server Process Handles Windows Security

 

[ADoozer]

SYAR2003: spot on! hes deleted the reg entry and it no longer tries to connect to the net and mem usage is down!

If somethings hard to do, its not worth doing - Homer Simpson
------------------------------------------------------------------------

http://www.climateprediction.net/index.php

come on... get involved!
To get the best response to a question, please check out FAQ222-2244 first
A General Guide To Excel in VB FAQ222-3383

 

[SYAR2003]

Thanks glad i convinced you all .
Smelled fishy from the moment i saw that path.

Cheers