Author Topic: lsass.exe (Read 9226 times)

Shalft · « **on:** November 11, 2005, 08:46:22 AM »

Recently I have downloaded a file and ran the executable file. Well since Avast didn't pick up as being a virus or what ever, until I execute it and it spawn up processes and created other files of which Avast picked up.

To cut to the chase, it wasn't harmful and did not damage any of my files (as far as I know), but it left me with a pretty stuffed up PC.

1. lsass.exe was located at C:\Windows\
2. lsass.exe is registered as a 'service' under the following display name "Local Security Authority Subsystem Service" and the following description "Microsoft Path Finder Service Displays Internet Routing Paths."
3. total internet lock down caused by lsass.exe (bad version)
4. after removal of the lsass.exe from safemode, I notice something else was also stuffed up with my computer.

Remote computer cannot access my computer and it had the following error message "\\computername is not accessible. You might not have permission to use this network resource. Contact the administrator of this server to find out if you have access permissions. Logon failure: the user has not been granted the requested logon type at this computer".

Normally I would blame my networking skill, but I never had the problem for exactly 10 months, and all of a sudden it started doing that after I executed the stupid downloaded file that I shouldn't have.

And to test my theory was right, I went to the other PC that I have, and infected it and found out that my PC cannot access that remote PC (it was working minutes before I infected that PC). So, yay I got two dead PC (well not exactly dead, just can't perform windows networking)

Any suggestion on what I should do about this crazy little devil virus or something similar???

EDIT: I resolved it by formating my computer (no more network problem) but I'm 100% sure that it's caused by that lsass.exe or at least the executable file that created the lsass.exe

perhap you guy want the real thing to test on your test computers?

the file lsass.zip.jpg is to be renamed to lsass.zip (since I have no where to dumb the file)

lsass.zip
|- crack.rar
| |- crack-fff.exe (exec file that will create lsass.exe and others upon execution)
|- lsass.exe (the actual infected file)
|- lsass.exe.npg (screenshot)
|- regedit_lsass.exe.reg (export from registry)

[EDIT: attachment removed]

galooma · « **Reply #1 on:** November 11, 2005, 10:02:32 AM »

I will have to make some presumptions as you give me no idea what OS you are running.
Can you perform a System Restore?
Is there a reason why you dont name the file? or the name Avast gave to the infection?
Most virii have been removed successfully and if you google search the name you might find out how.
sorry I cant help you without this info
good luck

Spiritsongs · « **Reply #2 on:** November 11, 2005, 09:17:12 PM »

Are you still in the computer repair business ? Are you
saying you had two lsass.exe on your computer at the
same time ? Are either or both of the computers unable
to access the internet ? I found the following :
"Note: lsass.exe also relates to the Windang.worm, irc.ratsou.b, Webus.B, MyDoom.L, Randex.AR, Nimos.worm which spread via floppy disk drives, mass-mailing and peer-to-peer sharing. Please review file path for clarification of this.

Determining whether this process is a virus or a Windows process depends on the directory location it executes or runs from in WinTasks. " .

dzikrul_maut · « **Reply #3 on:** November 14, 2005, 01:03:47 PM »

Hey.... I'm a newbie for this forum sooo, first of all

Hello

for Everybody and I'm really hoping that all the people here can help me.....

I think I'm also infected with this lsass.exe virus

My Spec is: AMD Athlon 64 2 GHz, Windows XP Pro SP1, Avast 4.6, iAVS 0545-2

but i didn't experience what happen to Shalft. Avast didn't detect ANYTHING. but my windows performance hasn't gone slow or something. I'm curious because one of my friends had this virus and it really destroy his computer, my other friens had his computer slowed extremely because he had two lsass in his task manager.

Could anybody help me... oh yeah, there's also rumor in my place saying that this virus is from a university near my town.( by the way, I'm from Jakarta, indonesia) they say this virus was created in A technology university in Bandung. and some also said that this virus is already can be detected by Norton Antivirus 2005 but suddenly a new variant of the virus came and it became undetected.... I'm really desperate on this... I really trust Avast, so if this really a virus from my country so i want to help Alwil make Avast stronger. Because i've already done some research that resulted Avast couldn't detect most virus that was created in indonesia

I think that's all from me, if the Avast Crew want to contact me you can do it anytime via this email

God Bless Us All

PS : I'm reeeeaaallly sorry if my english is reallly bad, I hope that you understand what a I mean....

Shalft · « **Reply #4 on:** November 16, 2005, 09:44:19 AM »

bump

read the edited post above for more details

polonus · « **Reply #5 on:** November 16, 2005, 11:33:32 AM »

Hello Shaft,

The one file starting with L is legitimate, the other with I or i is part of a trojan. Look here:
http://www.spyany.com/files/Isass_exe.html

greets,

polonus

Shalft · « **Reply #6 on:** November 19, 2005, 01:48:07 AM »

Quote from: polonus on November 16, 2005, 11:33:32 AM

Hello Shaft,

The one file starting with L is legitimate, the other with I or i is part of a trojan. Look here:
http://www.spyany.com/files/Isass_exe.html

greets,

polonus

Thanks Polonus, but the file is not isass.exe if you download the .zip file and you can see.

Not only that, once this lsass.exe is run, you cannot end task it, because it will come up with a dialog saying that it's a critical system process and that the Task Manager cannot end the process. (after all i guess that is the idea)

So, why haven't anyone help me with an answer to resolve it for future purposes? or at least do something about it, perhaps add it into Avast definition list? Shrug just let me know what is going on.

FreewheelinFrank · « **Reply #7 on:** November 19, 2005, 10:00:57 AM »

lsass.exe is a legitimate Windows process, and also a symptom of various worms when found somewhere it shouldn't be. New variants are constantly emerging, so I guess you had a new variant which avast! didn't recognise.

http://www.neuber.com/taskmanager/process/lsass.exe.html

Worms like Sasser exploit a vulnerability in the Windows' LSASS

http://ask-leo.com/what_are_lsass_lsassexe_and_sasser_and_how_do_i_know_if_im_infected_what_do_i_do_if_i_am.html

Ending the process lsass.exe will not help because this is a legitimate process. The malware may be exploiting this process to run.

So it's important to update your OS to patch any security vulnerabilities.

Other worms masquerade as Windows' LSASS:

http://securityresponse.symantec.com/avcenter/venc/data/w32.nimos.worm.html

This actually sound more like your problem. If you have more than one lsass.exe running, you can use Process Explorer from SysInternals to see where they are running from.

The solution is to scan for and remove the worm which is causing the problem and remove associated registry changes.

I'm sure Igor has added this worm to avast!'s defintions by now, but if you're going to download and run crack files, you're still going to leave yourself open to infection by worms. No AV can identify every piece of malware out there.

Author Topic: lsass.exe (Read 9226 times)

Shalft

lsass.exe

galooma

Re: lsass.exe

Spiritsongs

Re: lsass.exe

dzikrul_maut

Re: lsass.exe

Shalft

Re: lsass.exe

polonus

Re: lsass.exe

Shalft

Re: lsass.exe

FreewheelinFrank

Re: lsass.exe