Ruaidhrigh
Guest
|
 Posted:
Sun Dec 19, 2004 8:39 am Post subject:
Lsass.exe replacement ? |
|
|
Hi !
Since December the 18th, my firewall (Kerio) often detects that an
application tries to replace my Lsass.exe file by another one named "Lsass.
exe (export)" (or something like that). I denied the change so far, but the
application replacement still pop up regulary.
I cautiously checked my "Windows XP auto update" and discovered that my
system downloaded 4 patches on December the 17th. One of those patches
(KB885835) was about patching some security breach in lsass.exe.
Before allowing the file replacement, I'd like to be sure that this is no
security attack (Lsass.exe beeing known for getting targetted by some
"lsasser worm"), and that this file replacement IS the result of the Windows
update downloaded 2 days ago.
Thanks for all help on that subject (and sorry for my poor english) |
|
cquirke (MVP Win9x)
Guest
|
| Posted:
Mon Dec 20, 2004 12:56 am Post subject:
Re: Lsass.exe replacement ? |
|
|
On Sat, 18 Dec 2004 19:39:02 -0800, "Ruaidhrigh"
| Quote: | Since December the 18th, my firewall (Kerio) often detects that an
application tries to replace my Lsass.exe file by another one named "Lsass.
exe (export)" (or something like that). I denied the change so far, but the
application replacement still pop up regulary.
|
A bit of detail there, please?
Does it say the file has been changed and ask if it should be allowed
to access the Internet or act as a server?
Or is it asking if an existing file can be overwritten by a new one?
| Quote: | I cautiously checked my "Windows XP auto update" and discovered that my
system downloaded 4 patches on December the 17th. One of those patches
(KB885835) was about patching some security breach in lsass.exe.
|
Then it's likely this will replace the file. If it does so, and the
new version tries to access the Internet, the firewall may detect that
it's not the same file as before. If so, the firewall will ask if you
want to allow it to whatever, just as if it was seeing the file for
the first time (as you may remember when first installing the fw).
| Quote: | Before allowing the file replacement, I'd like to be sure that this is no
security attack (Lsass.exe beeing known for getting targetted by some
"lsasser worm"), and that this file replacement IS the result of the Windows
update downloaded 2 days ago.
|
Understood, yes.
Any code file can be generically infected by a code infector.
Any code file can be specifically replaced by a trojan.
Any file can have the same name or same location as a "real" system
file, but not both at the same time (unless you've enabled POSIX?).
Any file that is on NTFS can have what is effectively another file,
added as an "Alternate Data Stream" or ADS, and that file may appear
to have the same name in Task Manager etc.
However, most LSASS attackers don't replace, infect or trojanize
Lsass.exe as such; rather, they exploit a defect in it to get a
foothold in the system. That *may* mean malware could try to revert a
patched version of this file to an older, vulnerable, one.
All I can do is restate your problem; you need to know whether this
file replacement is the legitimate patching process, or something
else. Perhaps you can submit the troublesome file to an online av
scanning site for an opinion? I would NOT let the site attempt a
"full system scan", for several reasons.
| Quote: | -------------------- ----- ---- --- -- - - - -
Tip Of The Day: |
To disable the 'Tip of the Day' feature...
>-------------------- ----- ---- --- -- - - - - |
|
David H. Lipman
Guest
|
| Posted:
Mon Dec 20, 2004 8:49 am Post subject:
Re: Lsass.exe replacement ? |
|
|
Obtain McAfee's virus and worm removal tool, Stinger: http://vil.nai.com/vil/stinger/
1) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
2) Reboot your PC into Safe Mode
3) Using McAfee Stinger, perform a Full Scan of your platform and clean/delete any
infectors found
4) Restart your PC and perform a "final" Full Scan of your platform
5) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
6) Reboot your PC.
7) If you are using WinME or WinXP, create a new Restore point
8) Please report back your results
Dave
"Ruaidhrigh" <Ruaidhrigh@discussions.microsoft.com> wrote in message
news:608275EC-8A21-4CB8-BF19-811F7894F2CE@microsoft.com...
| Hi !
|
| Since December the 18th, my firewall (Kerio) often detects that an
| application tries to replace my Lsass.exe file by another one named "Lsass.
| exe (export)" (or something like that). I denied the change so far, but the
| application replacement still pop up regulary.
|
| I cautiously checked my "Windows XP auto update" and discovered that my
| system downloaded 4 patches on December the 17th. One of those patches
| (KB885835) was about patching some security breach in lsass.exe.
|
| Before allowing the file replacement, I'd like to be sure that this is no
| security attack (Lsass.exe beeing known for getting targetted by some
| "lsasser worm"), and that this file replacement IS the result of the Windows
| update downloaded 2 days ago.
|
| Thanks for all help on that subject (and sorry for my poor english) |
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in