Is this a problem?

Discussion in 'malware problems & news' started by Blackspear, May 19, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I am running "Active Ports" in the list is the following:

    lsass.exe 588 0.0.0.0 500 LISTEN UDP C:\WINDOWS\system32\lsass.exe

    When I look through Google this lists as something that is a possible Sasser worm infection, I run Nod32 and it comes up clean.

    Suggestions?

    Cheers :D
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Blackspear,

    Are you saying that the port mentioned was never listed previously as being open and listening but now it is, or are you saying that you just noticed it for the first time?

    If you are on XP and have not altered it from default, or are using products and/or services that do network login authentication, then you will have lsass.exe (the Windows Service known as "IPSEC Services") listening on UDP port 500. This service listens for and responds to packets specific to network logon operations. If you go to Control Panel > Administrative Tools > Services > and look at "IPSEC Services", does it show as Started?
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for your reply LWM, I was pointed towards that file by a client yesterday in reference to Sasser Worm on his machine, and when I went snooping around on my machine this morning, noticed the exact same file. I use "Remote Desktop Connection", so after reading your post I am presuming it has something to do with that. I'll take a look at what you have suggested when I get back home.

    Many thanks...

    Cheers :D
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I have "IPSEC Services" running, thanks again for your help...

    Cheers :D
     
Loading...
Thread Status:
Not open for further replies.