File Investigation Report
LSASS.EXE
System Back DoorPC Cleanup in 3 Easy Steps
Use Prevx 3.0 to remove LSASS.EXE, along with any other viruses, spyware, adware, trojans, rootkits, worms, information stealers, keyloggers, bots, and other form of malicious threat that may reside on your PC.
- Think your PC might be Infected? Scan Now Prevx 3.0 will scan your PC in seconds to inform you whether your PC is clean or infected.
- Malware Removal Prevx 3.0 removes adware infections for free. More complicated infections require purchase of a malware removal license.
- Expert Assistance In the rare occurence that Prevx 3.0 malware removal fails - a Prevx Engineer will connect to your PC and manually disinfect.
- Money Back Guarantee for Individual Users If within the first 14 days, the Prevx Engineer finds it impossible to clean an infection from your PC, we give you your money back.
Associated Malware Groups
The filename is associated with the malware groups:
- System Back Door
- Cloaked Malware
- Worm
- Malicious Software
File Behavior
LSASS.EXE has been seen to perform the following behavior:
- The Process is packed and/or encrypted using a software packing process
- Found on infected systems and resists interrogation by security products
- Uses low level functions to hide itself from the user and from system/security processes
- Uses rootkit techniques to conceal its presence, interrogation or removal
- Creates a new Background Service on the machine
- Uses DNS to retrieve the IP address for web sites
- Registers a Dynamic Link Library File
- Makes outbound connections to other computers using NETBIOSOUT protocols
- Can communicate with other computers using TCP protocols
- Executes a Process
- Can communicate with other computer systems using HTTP protocols
- This Process Deletes Other Processes From Disk
- This process creates other processes on disk
- Registers or amends SMTP Mail Servers on the public internet
- Sends mail without telling you
- Checks for the use of debuggers
- Reads email address and phone book details
- Visits web sites on your PC without you knowing
- Looks at the contents of the autoexec.bat file
- This Process is a file infector which modifies program files to include a copy of the infection
- Writes to another Process's Virtual Memory (Process Hijacking)
- Modifies the Windows Host File which could be used to stop you visiting specific web sites by redirecting you to alternative addresses without you knowing
- The process hooks code into all running processes which could allow it to take control of the system or record keyboard input, mouse activity and screen contents
- Creates new folders on the system
- Copies files
- Injects code into other processes
- Deletes Links in the Start Menu
- Adds a Link in the Start Menu
- Disables safe mode on your PC
- Downloads program file(s) and other content from the web
- Changes the Internet Explorer Home Page Settings
- Modifies Windows Security Policies to restrict/expand User Privileges on the machine
- Disables the built in Windows File Protection System
- Disables the Built in Windows System Restore Feature
- Changes of IE options including home page, security tab, colour, font, advanced, menu
- Disables Access to the Windows Registry Editior
- Disables Access to the Task Manager built into Windows
- Adds a Registry Key (RUN) to auto start Programs on system start up
- Creates a TCP port which listens and is available for communication initiated by other computers
- Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
LSASS.EXE has been the subject of the following behavior:
- Added as a Registry auto start to load Program on Boot up
- Created as a process on disk
- Executed as a Process
- Copied to multiple locations on the system
- Registered as a Dynamic Link Library File
- Created by processes which appear to be checking for interception by security products
- Has code inserted into its Virtual Memory space by other programs
- Deleted as a process from disk
- Terminated as a Process
- This process has been seen to have code injected by malicious programs
- Created as a new Background Service on the machine
- Executed by Internet Explorer
- Deleted as a Link in the Start Menu
- Added as a Link in the Start Menu
- Executed from Temporary Folders
Country Of Origin
The filename LSASS.EXE was first seen on May 3 2007 in the following geographical regions of the Prevx community:
- on May 3 2007
- The United States on May 3 2007
- Hungary on May 8 2007
- India on Jul 8 2007
- Italy on May 7 2009
- Myanmar on Aug 24 2009
- Egypt on Aug 24 2009
- Moldova, Republic of on Jan 7 2010
- The United Kingdom on Jan 7 2010
File Name Aliases
LSASS.EXE can also use the following file names:
- BOOT.EXE
- BSNL6.EXE
- DITTY.EXE
- MSCONFIG.EXE
- FA CMDRS BREIFING.EXE
- WORM2007[1].EXE
- WORM2007[3].EXE
- EXPLORE.EXE
- DEIDQ.EXE
- CSRSS.EXE
- CMD-BRONTOK.EXE
- HOSTS-DENIED BY-PLUCKY1.COM
- INETINFO.EXE
- SERVICES.EXE
- WINLOGON.EXE
- SMSS.EXE
- BR6525ON.EXE
- RAKYATKELAPARAN.EXE
- KESENJANGANSOSIAL.EXE
- PRYLXOQB.EXE
- CSLOTKF.EXE
- PTUPEJR.EXE
- WSPCPQ[n].HTM
- UTOMB.EXE
- WTNU.EXE
- LSASS.EX_
- PAGEFILE.PIF
- LSASS.EXE.42171.EXE
- PHQ.EXE
- EMPTY.PIF
- FILEMAN.EXE
- DATA GREY HOUSE.EXE
- ~.EXE
- DD1.EXE
- 40829.LOG
- 037589.LOG
- 211594.LOG
- -B7E1BD99716BC1F4AD880049AB929B00593AA78C.EXE
Filesizes
The following file size has been seen:
- 20,480 bytes
- 13,312 bytes
- 94,248 bytes
- 105,508 bytes
- 107,520 bytes
- 35,328 bytes
- 44,401 bytes
File Type
The filename LSASS.EXE refers to many versions of an executable program.
File Activity
One or more files with the name LSASS.EXE creates, deletes, copies or moves the following files and folders:
- Creates c:\lsass.exe
Network Activity
One or more files with the name LSASS.EXE performs the following network events:
- DNS Lookup74.58.93.206 74.58.93.206
- DNS Lookup189.19.224.74 189.19.224.74
- DNS Lookup86.56.58.74 86.56.58.74
- DNS Lookup24.184.163.140 24.184.163.140
- DNS Lookup168.187.215.60 168.187.215.60
- DNS Lookup76.188.231.13 76.188.231.13
- DNS Lookup83.138.246.58 83.138.246.58
- DNS Lookup80.98.175.47 80.98.175.47
- DNS Lookup173.80.70.26 173.80.70.26
- DNS Lookup99.248.43.79 99.248.43.79
- DNS Lookup87.207.40.149 87.207.40.149
- DNS Lookup121.97.83.223 121.97.83.223
- DNS Lookup213.106.172.8 213.106.172.8
- DNS Lookup190.74.163.132 190.74.163.132
- DNS Lookup200.6.177.143 200.6.177.143
- DNS Lookup89.35.217.119 89.35.217.119
- DNS Lookup89.33.187.86 89.33.187.86
- DNS Lookup88.156.177.84 88.156.177.84
- DNS Lookup62.231.92.44 62.231.92.44
- DNS Lookup64.233.240.133 64.233.240.133
- DNS Lookup98.196.116.193 98.196.116.193
- DNS Lookup24.33.128.15 24.33.128.15
- DNS Lookup200.115.235.81 200.115.235.81
- DNS Lookup88.216.39.70 88.216.39.70
- DNS Lookup196.201.133.104 196.201.133.104
- DNS Lookup86.105.93.118 86.105.93.118
- DNS Lookup69.111.152.45 69.111.152.45
- DNS Lookup77.250.6.92 77.250.6.92
- DNS Lookup87.68.94.28 87.68.94.28
- DNS Lookup89.42.138.57 89.42.138.57
- DNS Lookup190.200.85.211 190.200.85.211
- DNS Lookup78.57.214.156 78.57.214.156
- DNS Lookup76.114.36.204 76.114.36.204
- DNS Lookup212.225.164.250 212.225.164.250
- DNS Lookup82.232.1.3 82.232.1.3
- DNS Lookup68.57.136.70 68.57.136.70
- DNS Lookup187.5.112.200 187.5.112.200
- DNS Lookup71.239.66.247 71.239.66.247
- DNS Lookup99.233.117.158 99.233.117.158
- DNS Lookup189.51.138.36 189.51.138.36
- DNS Lookup96.2.109.140 96.2.109.140
- DNS Lookup59.92.187.191 59.92.187.191
- DNS Lookup72.240.220.3 72.240.220.3
- DNS Lookup121.141.197.252 121.141.197.252
- DNS Lookup99.233.208.73 99.233.208.73
- DNS Lookup173.33.72.37 173.33.72.37
- DNS Lookup187.2.19.203 187.2.19.203
- DNS Lookup116.75.19.118 116.75.19.118
- DNS Lookup62.141.211.245 62.141.211.245
- DNS Lookup67.177.119.211 67.177.119.211
Website Activity
One or more files with the name LSASS.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.
- TCP:74.58.93.206:3128 Port:18
- TCP:189.19.224.74:3128 Port:19
- TCP:189.12.40.238:3128 Port:19
- TCP:83.138.246.58:3128 Port:19
- TCP:116.75.19.118:3128 Port:19
- TCP:173.80.70.26:3128 Port:19
- TCP:76.188.231.13:3128 Port:18
- TCP:86.56.58.74:3128 Port:19
- TCP:80.98.175.47:3128 Port:19
- TCP:99.248.43.79:3128 Port:19
- TCP:24.184.163.140:3128 Port:19
- TCP:168.187.215.60:3128 Port:19
- TCP:200.6.177.143:3128 Port:19
- TCP:89.35.217.119:3128 Port:19
- TCP:81.41.192.68:3128 Port:19
- TCP:88.156.177.84:3128 Port:19
- TCP:190.74.163.132:3128 Port:19
- TCP:87.207.40.149:3128 Port:19
- TCP:87.68.94.28:3128 Port:20
- TCP:77.250.6.92:3128 Port:20
- TCP:196.201.133.104:3128 Port:20
- TCP:69.111.152.45:3128 Port:20
- TCP:89.33.187.86:3128 Port:19
- TCP:89.42.138.57:3128 Port:20
- TCP:200.115.235.81:3128 Port:20
- TCP:213.106.172.8:3128 Port:20
- TCP:190.200.85.211:3128 Port:20
- TCP:62.231.92.44:3128 Port:20
- TCP:24.33.128.15:3128 Port:20
- TCP:88.216.39.70:3128 Port:19
- TCP:64.233.240.133:3128 Port:20
- TCP:121.97.83.223:3128 Port:20
- TCP:98.196.116.193:3128 Port:20
- TCP:86.105.93.118:3128 Port:20
- TCP:78.57.214.156:3128 Port:20
- TCP:76.114.36.204:3128 Port:20
- TCP:212.225.164.250:3128 Port:20
- TCP:82.232.1.3:3128 Port:20
- TCP:88.156.177.84:3128 Port:21
- TCP:68.57.136.70:3128 Port:21
- TCP:187.5.112.200:3128 Port:21
- TCP:71.239.66.247:3128 Port:21
- TCP:99.233.117.158:3128 Port:21
- TCP:189.51.138.36:3128 Port:21
- TCP:96.2.109.140:3128 Port:21
- TCP:59.92.187.191:3128 Port:21
- TCP:187.5.112.200:3128 Port:21
- TCP:72.240.220.3:3128 Port:23
- TCP:121.141.197.252:3128 Port:23
- TCP:99.233.208.73:3128 Port:23
PCMag.com Editors' Choice Award Logo is a trademark of Ziff Davis Publishing Holdings Inc. Used under license.