Any info on a worm that targets lsass.exe

Discussion in 'malware problems & news' started by brotherfreakshow, Jan 14, 2003.

Thread Status:
Not open for further replies.
  1. brotherfreakshow

    brotherfreakshow Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    19
    Location:
    Ohio
    Hello-

    I was running PE tonight when I noticed that the lsass.exe
    was shown as an hidden service.

    I have heard of exploits and worms that target this
    system service and was currious.
    I only have the trial version of PE and can't check out to
    much right now.

    I ran TDS-3 and nothing showed up,Norton AV,
    WormGuard ect.

    Anything else anyone might suggest would be awsome!


    Peace Paul :)
     
  2. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Hi Brother

    I do not know much but......

    Process File: lsass or lsass.exe
    Process Name: Local Security Authority Service
    Description: The Windows Local Security Authority Server Process Handles Windows Security Mechanisms
    Common Errors: N/A
    System Process: Yes

    LSASS.EXE is the Local Security Authority subsystem, and it is vital to the operation of the system. It handles the low-level details of all Windows 2000 security including logins; therefore you cannot do an END TASK on it and you cannot disable it.

    Maybe someone else knows more about it

    regards ^Ari^
     
  3. Same here....I can research for ya.... o_O
     
  4. Local Security Authority Subsystem--used for logon authentication; authenication for file, folder and share access; secondary logons using runas.

    CSRSS

    Client Server Runtime Sub System--responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.


    SVCHOST

    Repsonsible for starting your services. See Q250320


    This what I found....so far....
     
  5. Windows NT4/2000/XP only. LSASS is the Local Security Authentication Server. It verifies the validity of user logons to your PC/Server (in technical jargon : it generates the process that is responsible for authenticating users for the Winlogon service).

    Recommendation :
    An integral part of the operating system, leave alone.
     
  6. It seems Isass.exe errors are connected to XP Boot/Log-in issues....I'll continue to research!!
     
  7. http://www.informationweek.com/story/IWK20030110S0029

    Try here:
     
  8. Also...try this:


    http://www.windowsecurity.com/articles/Intrusion_Detection_FAQ.html
     
  9. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Hi House of Games! Those are some good resources, glad to see you have the spirit of the board in you :)

    Could I ask you to consolidate your posts when you have things to add in a relatively short time?

    Above a post there is a "modify" button, click that and add the new information. This way all of your info is presented in a concise manor instead of spread across multiple threads and/or pages.

    If the time span is a few hours or days instead of just minutes, then a new post is fine. We just like to have some sort of protocols to help manage the board with so many great and helpful members.

    That would be great thanx!

    Enjoy the board!

    UNICRON
     
  10. brotherfreakshow

    brotherfreakshow Registered Member

    Joined:
    Jan 7, 2003
    Posts:
    19
    Location:
    Ohio
    Hello-
    Thank you for your help House of games and Krusty.
    I know what the service is and what it's for.
    I was looking for something more along the lines of
    a known exploit or vulnerability that affected
    this system service.

    I am in super paranoid mode after having to
    reformat my hd after just moving,and the movers
    lost all of my backups(everythings gone)

    I still have My Windows XP disc and Nero 5.0
    Power DVD 4.0, SoundBlaster Audigy Plat., and ect
    but my backups and games were in a zippered
    folder that came up missing.

    I get laid-off in the winter,I work for a tree nursery
    (Tree farmer....lol) So moneys tight as hell!
    I don't want to lose everything again,so I'm
    being extra super cautious right now.

    I realy don't have anything too lose now,all
    that I had was on those cd-r's.
    I am still very upset.

    I had my bands demos on there poems................
    everything!
    You know what I mean?
    I can't back-up either right now,no money for cd's
    so careful.....careful......careful!!!!

    I thought there was a bright spot, I found my Deus
    EX (g.o.t.y) edition lying near the curb.
    I picked it up with glee(happy happy joy joy)
    and to my dismay it was cracked .

    I am going to make multiple copys for now on!

    Thanks guys!

    Peace Paul
     
  11. Thank you for your advice......I'm just loking for good "karma"...I get carried away!!! :cool:
     
  12. NetWatchman

    NetWatchman Security Expert

    Joined:
    Jul 24, 2002
    Posts:
    31
    I've seen Warez pirates rename Serv-u-FTP as that file...though it is usually put in a non windows directory...for example:

    Fport output:
    844 lsass -> 9999 TCP C:\WINNT\AppPatch\lsass.EXE
    844 lsass -> 43958 TCP C:\WINNT\AppPatch\lsass.EXE

    My guide to do a manual forensics to gather this info is here:
    http://www.mynetwatchman.com/kb/security/articles/winforensics/index.htm
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.