lsass.exe lovsan msblast port 1027 HELP!

Discussion in 'malware problems & news' started by jump, Sep 6, 2003.

Thread Status:
Not open for further replies.
  1. jump

    jump Registered Member

    Nov 21, 2002
    On a notebook workstation on this network had msblast removed by trendmicro's online scan. Norton Antivirus picked up lovsan in what I think was a IE cache file, but I didn't delete it and on second scan it didn't pick it up again.

    This above was just to note it's previous existence on my network.

    the problem now
    2 workstations have open constant connection between them on port 1027 or close number port.
    lsass.exe is the process running on this port. (fport determined)
    Constant connection always has data flow and only when both the workstations are on.

    Does anyone know what this is? How do I fix it?

    In think I noticed in netmonitor on server or a log on gateway something like "mail/browse" .

    Would copying over with a known good copy of lsass.exe fix it?

    Workstations running Win2000sp2 IE5.0 with netbios enabled.
    (yes I know I need to update it)

    While I have really no idea - could it be a netbios hack with data being collected to mail somewhere?
  2. Gaz

    Gaz Registered Member

    Sep 1, 2003
    Run a virus scan from

    It will detect all viruses and unknown ones if you select unknown virus detection.

    However I had port 1027 open last week, I have NO virus atall and I just had to block it in my firewall.

    I think it is the result of the new microsoft update to the RPC service.
  3. CrazyM

    CrazyM Firewall Expert

    Feb 9, 2002
    BC, Canada
    Hi jump

    lsass -> Local Security Authority Service

    lsass.exe is something you will always see running in task manager. The port it opens and listens on is usually associated with IPSec. If you are not using IPSec on your network, go into Services, IPSec Policy Agent, stop it and set it to manual.


Thread Status:
Not open for further replies.