lsass.exe lovsan msblast port 1027 HELP!

Discussion in 'malware problems & news' started by jump, Sep 6, 2003.

Thread Status:
Not open for further replies.
  1. jump

    jump Registered Member

    Joined:
    Nov 21, 2002
    Posts:
    5
    On a notebook workstation on this network had msblast removed by trendmicro's online scan. Norton Antivirus picked up lovsan in what I think was a IE cache file, but I didn't delete it and on second scan it didn't pick it up again.

    This above was just to note it's previous existence on my network.



    the problem now
    2 workstations have open constant connection between them on port 1027 or close number port.
    lsass.exe is the process running on this port. (fport determined)
    Constant connection always has data flow and only when both the workstations are on.



    Does anyone know what this is? How do I fix it?
    PLEASE HELP!


    In think I noticed in netmonitor on server or a log on gateway something like "mail/browse" .


    Would copying over with a known good copy of lsass.exe fix it?

    Workstations running Win2000sp2 IE5.0 with netbios enabled.
    (yes I know I need to update it)


    While I have really no idea - could it be a netbios hack with data being collected to mail somewhere?
     
  2. Gaz

    Gaz Registered Member

    Joined:
    Sep 1, 2003
    Posts:
    32
    Run a virus scan from www.pandasoftware.com/activescan

    It will detect all viruses and unknown ones if you select unknown virus detection.

    However I had port 1027 open last week, I have NO virus atall and I just had to block it in my firewall.

    I think it is the result of the new microsoft update to the RPC service.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi jump

    lsass -> Local Security Authority Service

    lsass.exe is something you will always see running in task manager. The port it opens and listens on is usually associated with IPSec. If you are not using IPSec on your network, go into Services, IPSec Policy Agent, stop it and set it to manual.

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.