PDA

View Full Version : LSASS.exe



Mike
20-07-2003, 09:51 AM
What is LSASS.exe? What does it do?

Ever since I logged on this morning (well only about 15 minutes ago) I keep getting firewall messages saying that a remote location is trying to communicate with LSASS.exe and that its a Low Risk. I've just kept blocking it, but am wondering why it's happing, and what its for, and should I really be allowing it? I do have win XP automatic update running, so it could be related to that.

Cheers,

Mike.

Hugh Jardon
20-07-2003, 10:27 AM
According to Pacs Portal Startup List:

LSASS.EXE is the Local Security Authority Sub-System. Essentially, it's the file that gives you WinNT/2K/XP. If it can't start you can't get in

Hugh Jardon
20-07-2003, 10:30 AM
And from Annoyances.com:

LSA Shell (Export Version) (file name lsass.exe) is a component of Windows NT and 2000 operating systems that helps administer access permissions. It sometimes requires access to the Internet to perform legitimate tasks. It is normal for this program to request access permission, and it is safe to grant permission. keep in mind though Trojan horses and other malware sometimes masquerade as legitimate programs by using the same file name.


Er.... you have heard of Google, haven't you? ;-)

Hugh Jardon
20-07-2003, 10:32 AM
Last one from Symantec: http://216.239.39.104/translate_c?hl=en&u=http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lovgate%40mm.html&prev=/search%3Fq%3Dlsass%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3Dutf-8

W32.HLLW.Lovgate@mm is a mass mailing worm that attempts to email itself to all the email addresses that it finds in the files, with a file extension that starts with "ht" (for example, all the .htm or .hta files). The subject and attachment of the incoming email are chosen from a predetermined list.

W32.HLLW.Lovgate@mm also attempts to copy itself to all the computers on a local network, and then infect these computers. The worm also has a backdoor Trojan capability. By default, the Trojan component listens on port 10168.

If the infected computer runs Windows NT, 2000, or XP, the worm will attempt to disguise itself as the normal Windows process, "LSASS.EXE."

Billy T
20-07-2003, 12:49 PM
Hi Hugh

Your name seems strangely familiar to me, are you by any chance related to Hugh Jastle or Hugh Janus. ?:|

Yours is such a rare name, yet Mrs T reckons she saw another Hugh Jardon just the other day.

Cheers

Billy 8-{) :D