Lsass.exe replacement ?

G

Guest

Hi !

Since December the 18th, my firewall (Kerio) often detects that an
application tries to replace my Lsass.exe file by another one named "Lsass.
exe (export)" (or something like that). I denied the change so far, but the
application replacement still pop up regulary.

I cautiously checked my "Windows XP auto update" and discovered that my
system downloaded 4 patches on December the 17th. One of those patches
(KB885835) was about patching some security breach in lsass.exe.

Before allowing the file replacement, I'd like to be sure that this is no
security attack (Lsass.exe beeing known for getting targetted by some
"lsasser worm"), and that this file replacement IS the result of the Windows
update downloaded 2 days ago.

Thanks for all help on that subject (and sorry for my poor english)
 
C

cquirke (MVP Win9x)

On Sat, 18 Dec 2004 19:39:02 -0800, "Ruaidhrigh"
Since December the 18th, my firewall (Kerio) often detects that an
application tries to replace my Lsass.exe file by another one named "Lsass.
exe (export)" (or something like that). I denied the change so far, but the
application replacement still pop up regulary.
Click to expand...

A bit of detail there, please?

Does it say the file has been changed and ask if it should be allowed
to access the Internet or act as a server?

Or is it asking if an existing file can be overwritten by a new one?
I cautiously checked my "Windows XP auto update" and discovered that my
system downloaded 4 patches on December the 17th. One of those patches
(KB885835) was about patching some security breach in lsass.exe.
Click to expand...

Then it's likely this will replace the file. If it does so, and the
new version tries to access the Internet, the firewall may detect that
it's not the same file as before. If so, the firewall will ask if you
want to allow it to whatever, just as if it was seeing the file for
the first time (as you may remember when first installing the fw).
Before allowing the file replacement, I'd like to be sure that this is no
security attack (Lsass.exe beeing known for getting targetted by some
"lsasser worm"), and that this file replacement IS the result of the Windows
update downloaded 2 days ago.
Click to expand...

Understood, yes.

Any code file can be generically infected by a code infector.

Any code file can be specifically replaced by a trojan.

Any file can have the same name or same location as a "real" system
file, but not both at the same time (unless you've enabled POSIX?).

Any file that is on NTFS can have what is effectively another file,
added as an "Alternate Data Stream" or ADS, and that file may appear
to have the same name in Task Manager etc.

However, most LSASS attackers don't replace, infect or trojanize
Lsass.exe as such; rather, they exploit a defect in it to get a
foothold in the system. That *may* mean malware could try to revert a
patched version of this file to an older, vulnerable, one.

All I can do is restate your problem; you need to know whether this
file replacement is the legitimate patching process, or something
else. Perhaps you can submit the troublesome file to an online av
scanning site for an opinion? I would NOT let the site attempt a
"full system scan", for several reasons.


-------------------- ----- ---- --- -- - - - -
Click to expand...
Tip Of The Day:
To disable the 'Tip of the Day' feature...
 
D

David H. Lipman

Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/

1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point
8) Please report back your results

Dave



| Hi !
|
| Since December the 18th, my firewall (Kerio) often detects that an
| application tries to replace my Lsass.exe file by another one named "Lsass.
| exe (export)" (or something like that). I denied the change so far, but the
| application replacement still pop up regulary.
|
| I cautiously checked my "Windows XP auto update" and discovered that my
| system downloaded 4 patches on December the 17th. One of those patches
| (KB885835) was about patching some security breach in lsass.exe.
|
| Before allowing the file replacement, I'd like to be sure that this is no
| security attack (Lsass.exe beeing known for getting targetted by some
| "lsasser worm"), and that this file replacement IS the result of the Windows
| update downloaded 2 days ago.
|
| Thanks for all help on that subject (and sorry for my poor english)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

lsass.exe in CPU loop when logging in 15
sasser is not ending 4
LSASS.EXE and constant HD access draining battery 1
LSASS.EXE Terminated Unexpectedely Code 1073741819 15
Memory Leaks and Missing Reg Keys 1
Unable to start windows after Automatic Update download. 1
NetDDE does not work on XP 3
Compass Rule Manger 2

Top