LSASS.EXE - Dangerous
What you should do about LSASS.EXE:
Check Your PC Now
Your PC may be infected. The presence of a file called LSASS.EXE is a possible sign of infection.
You should urgently check your PC to make sure it is not infected. The free version of Prevx CSI will scan your PC in less than two minutes and check for millions of spyware and malware infections including LSASS.EXE. Don't take the risk, check your PC now by clicking the green button.
Who Uses Prevx CSI?
Prevx has been detecting the threats that others miss since 2004.
More than 2,051,197 people have scanned with Prevx CSI and between them have checked 29.2 billion files. 65% of the PCs scanned had malware present.
What we know about LSASS.EXE:
The filename LSASS.EXE was first seen on May 22 2007 in The UNITED STATES. It has also been seen in the following geographical regions of the Prevx community:
- MALAYSIA on Aug 21 2007
- The EUROPEAN UNION on Jul 10 2007
- CANADA on Jul 10 2007
- The UNITED KINGDOM on May 22 2007
- PHILIPPINES on Sep 24 2007
- SPAIN on May 5 2008
The most common file size is 107,520 bytes. But the following file sizes have also been seen:
- 56,832 bytes
- 43,072 bytes
- 81,920 bytes
- 278,619 bytes
- 77,824 bytes
- 101,896 bytes
The unsafe files using this name are associated with the malware group Backdoor.IRCBot.gen.Some files using the name LSASS.EXE are also associated with the malware groups:
- TROJAN.AGENT.GEN
- Backdoor.Trojan
- BackDoor.Generic5.NIM
- Trojan.SystemPoser
- Worm.Brontok.Gen
- Trojan.System32.Hijacker
LSASS.EXE has been seen to perform the following behavior(s):
- The Process is packed and/or encrypted using a software packing process
- Executes a Process
- Registers a Dynamic Link Library File
- This Process Deletes Other Processes From Disk
- This Process Creates Other Processes On Disk
- Modifies Windows Security Policies to restrict/expand User Privlidges on the machine
- Disables the Built in Windows System Restore Feature
- Disables the built in Windows File Protection System
- Can communicate with other computer systems using HTTP protocols
- Adds a Link in the Start Menu
- Changes the Internet Explorer Home Page Settings
- Disables Access to the Task Manager built into Windows
- Disables Access to the Windows Registry Editior
- Modifies Windows Initialization And System Settings Used On Start up
- Changes to the file command map within the registry
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
- Terminates Processes
- Changes Windows Firewall Control Settings to allow itself to communicate with other computers
- Writes to another Process's Virtual Memory (Process Hijacking)
- Creates a new Background Service on the machine
- Looks at the contents of the autoexec.bat file
- Reads email address and phone book details
- Uses DNS to retrieve the IP address for web sites
- Adds Products to the system registry
- Executes Processes stored in Temporary Folders
- Downloads hidden code from covert web sites
- Downloads program file(s) from the web
- This Process is a file infector which modifies program files to include a host a copy of the infection
- Enables an In Process Object/Server - Common with DLL Injections
- Visits web sites without the user knowing
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Deletes Links in the Start Menu
- Creates potentially fake system tray messages and error warnings
- Opens pop up browser windows
LSASS.EXE has been the subject of the following behavior(s):
- Executed as a Process
- Created as a process on disk
- Executed by Internet Explorer
- Deleted as a process from disk
- Added as a Link in the Start Menu
- Executed from Temporary Folders
- Has code inserted into its Virtual Memory space by other programs
- Terminated as a Process
- Added as a Registry auto start to load Program on Boot up
- Registered as a Dynamic Link Library File
- Copied to multiple locations on the system
- Created as a new Background Service on the machine
- Deleted as a Link in the Start Menu
LSASS.EXE can also use the following file names:
- YAM-WIN.EXE
- YAMIPOD.EXE
- WINAUDIT.EXE
- WHOISTD.EXE
- WHOISTHISDOMAIN.EXE
- TREEPAD.EXE
- TREEPAD LITE.EXE
- STARTUPLIST.EXE
- SMSNIFF.EXE
- SMARTSNIFF.EXE
- ROCKXP.EXE
- FTPSERVER3LITE.EXE
- QUICK `N EASY FTP SERVER LITE.EXE
- QM-2_2.EXE
- QM - THE QUICK MAILER.EXE
- OMZIFF.EXE
- HTTP FILE SERVER (HFS).EXE
- FTPWANDERER2.EXE
- FOLLOWMEIP LITE.EXE
- DRIVE MANAGER.EXE
- CPICTURE LE.EXE
- CC260.EXE
- COUNTRY CODES.EXE
- CONVERT.EXE
- ANGRY IP SCANNER.EXE
- PRG.EXE
- A43 FILE MANAGEMENT UTILITY.EXE
- 19 HANDY PROGRAMS TO PUT ON A USB STICK.EXE
- X.EXE
- KEYGEN ALL PRODUCTS.EXE
- A.I.O. - KEYGEN ALL PRODUCTS`.EXE
- A.I.O. - TINY HANDY TOOLS V3.0 - 12IN1`.EXE
- WORM2007[1].EXE
- EXPLORE.EXE
- SVCHOST32.EXE
- NEW FOLDER.EXE
- MSCONFIG.EXE
- DD2.EXE
- 08723653.EXE
- WORM2007.EXE
- BOOT.EXE
- WORM2007[2].EXE
- 32140189.EXE
- WORM2007_2.EXE
- 15376885.BAK
- AUTORUN.PIF
- DPTRRISMEV-73.PMS.EXE
- 8AB043FA69A50A71598079EB210AE381.PIF
- ARPA.EXE
- 65770769.SVD
- DPTRMIYABI-470.PMS.EXE
- BCF69ADBB161BAD334D7236548311DE9.EXE
- SMSS.EXE
- J6100022.EXE
- C_10002K.COM
- SV711204230R.EXE
- O4100027.EXE
- _DEFAULT10002.PIF
- YESBRON.COM
- RELEASE.EXE
- TEMPPE.EXE
- DEBUG.EXE
- OBJ.EXE
- MY PROJECT.EXE
- FILE.EXE
- WAWA.EXE
- ESTONACTOC, HAROLD M.EXE
- C++.EXE
- BIN.EXE
- SALARY.EXE
- 3-VARIABLES_FILES.EXE
- 4-DECISIONS_FILES.EXE
- COMPROHAND.EXE
- HAROLD ESTONACTOC.EXE
- RESOURCES.EXE
- WINDOWSAPPLICATION9.EXE
- VB.NET`.EXE
- RONEL2.EXE
- COMSYS.EXE
- TEMP.EXE
- BACKUP.EXE
- _UPGRADEREPORT_FILES.EXE
- ESTONACTOC, HAROLD.EXE
- DPTRNILALL-233.PMS.EXE
- D68100C9695EB88052D8606A5AC00BE1.EXE
- D68100C9695EB88052D8606A5AC00BE1.PIF
- PAGEFILE.PIF
- ~.EXE
- 037589.LOG
- 111626.LOG
- 92972278.SVD