Any info on a worm that targets lsass.exe

Hello-

I was running PE tonight when I noticed that the lsass.exe
was shown as an hidden service.

I have heard of exploits and worms that target this
system service and was currious.
I only have the trial version of PE and can't check out to
much right now.

I ran TDS-3 and nothing showed up,Norton AV,
WormGuard ect.

Anything else anyone might suggest would be awsome!


Peace Paul

 

Hi Brother

I do not know much but......

Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description: The Windows Local Security Authority Server Process Handles Windows Security Mechanisms
Common Errors: N/A
System Process: Yes

LSASS.EXE is the Local Security Authority subsystem, and it is vital to the operation of the system. It handles the low-level details of all Windows 2000 security including logins; therefore you cannot do an END TASK on it and you cannot disable it.

Maybe someone else knows more about it

regards ^Ari^

 

Same here....I can research for ya....

 

Local Security Authority Subsystem--used for logon authentication; authenication for file, folder and share access; secondary logons using runas.

CSRSS

Client Server Runtime Sub System--responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.


SVCHOST

Repsonsible for starting your services. See Q250320


This what I found....so far....

 

Windows NT4/2000/XP only. LSASS is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server (in technical jargon : it generates the process that is responsible for authenticating users for the Winlogon service).

Recommendation :
An integral part of the operating system, leave alone.

 

It seems Isass.exe errors are connected to XP Boot/Log-in issues....I'll continue to research!!

 

http://www.informationweek.com/story/IWK20030110S0029

Try here:

 

Also...try this:


http://www.windowsecurity.com/articles/Intrusion_Detection_FAQ.html

 

Hi House of Games! Those are some good resources, glad to see you have the spirit of the board in you

Could I ask you to consolidate your posts when you have things to add in a relatively short time?

Above a post there is a "modify" button, click that and add the new information. This way all of your info is presented in a concise manor instead of spread across multiple threads and/or pages.

If the time span is a few hours or days instead of just minutes, then a new post is fine. We just like to have some sort of protocols to help manage the board with so many great and helpful members.

That would be great thanx!

Enjoy the board!

UNICRON

 

Hello-
Thank you for your help House of games and Krusty.
I know what the service is and what it's for.
I was looking for something more along the lines of
a known exploit or vulnerability that affected
this system service.

I am in super paranoid mode after having to
reformat my hd after just moving,and the movers
lost all of my backups(everythings gone)

I still have My Windows XP disc and Nero 5.0
Power DVD 4.0, SoundBlaster Audigy Plat., and ect
but my backups and games were in a zippered
folder that came up missing.

I get laid-off in the winter,I work for a tree nursery
(Tree farmer....lol) So moneys tight as hell!
I don't want to lose everything again,so I'm
being extra super cautious right now.

I realy don't have anything too lose now,all
that I had was on those cd-r's.
I am still very upset.

I had my bands demos on there poems................
everything!
You know what I mean?
I can't back-up either right now,no money for cd's
so careful.....careful......careful!!!!

I thought there was a bright spot, I found my Deus
EX (g.o.t.y) edition lying near the curb.
I picked it up with glee(happy happy joy joy)
and to my dismay it was cracked .

I am going to make multiple copys for now on!

Thanks guys!

Peace Paul

 

Thank you for your advice......I'm just loking for good "karma"...I get carried away!!!

 

I've seen Warez pirates rename Serv-u-FTP as that file...though it is usually put in a non windows directory...for example:

Fport output:
844 lsass -> 9999 TCP C:\WINNT\AppPatch\lsass.EXE
844 lsass -> 43958 TCP C:\WINNT\AppPatch\lsass.EXE

My guide to do a manual forensics to gather this info is here:
http://www.mynetwatchman.com/kb/security/articles/winforensics/index.htm