Home > Computers and Internet > LSASS.EXE Infection Very Disruptive

LSASS.EXE Infection Very Disruptive

15-Apr-05 06:46 pm EST Leave a comment Go to comments

Not sure which trojan was responsible for this, but I installed an infected crack utility recently, which I’ve done with increasing frequency of late.  I’m relying on a number of utilities I’ve installed and keep regularly updated to "catch" any infections as or before they happen.  I always scan, etc. before using anything downloaded from a questionable source.

But I got taught a lesson this past week.  Neither McAffee VirusScan, SpyDoctor nor Microsoft’s AntiSpyware utilitity caught something that infected the LSASS.EXE file on my main instance of Windows XP.  This file is used by Windows to handle local authentication, among other things and without it – your computer can do anything from become a node of denial-of-service (DOS) attacks, to staying pinned at 100% CPU use, to stop working entirely.

In my case it was all of the above.

I had a brief opportunity to try and cleanse the file once I realized what was wrong, but none of the additional utilities I thew at it initially worked, nor did a rogue process appear in the process list.  Once I couldn’t login I hacked away at it for hours – unable to login or do anything with the infected system.

Eventually, it dawned on me to simply take a non-infected copy of LSASS.EXE and put it on the system.  But I guess I’m kinda old-school still.  I didn’t realize that the WinXP CD comes with a "Recovery Mode" that allows you to get an MS-DOS prompt and copy files over with floppies or CD-ROM.

Duh.

But, the thought occurred: what if one doesn’t have another instance of WinXP?  My online search did reveal one site (http://www.allbootdisks.com) that carries installable instances of every Windows OS, and images of older MS DOS versions, from which the installation binaries & files could be downloaded.  Not sure if this site’s legal, but assuming nobody comes along to shut it down, it’s a very useful recovery tool.  Of course – you need a system on which to install the files should disaster strike you as it did me.

Insidentally, as of right now the ProcessLibrary.com website is reporting that LSASS.EXE is the most popular file queried by site visitors – which indicates something’s up with this file for a lot of people at the moment.  Wonder if we’ll see any security advisories about worms or viruses that hit this file soon…..

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Terry Glavin

CHRONICLES

Techno Manor

Geek's Corner

VM.Blog.

an IT blog.. and an occasional rant

Yammer Site Status

Is Yammer down? Offline? Broken? Undergoing scheduled maintenance? When will it be back? Find out here.

jalalaj

A journey full of wonderful experiences

Azure and beyond

My thoughts on Microsoft Azure and cloud technologies

TechCrunch

Startup and Technology News

Ottawa Citizen

Ottawa Latest News, Breaking Headlines & Sports

National Post

Canadian News, World News and Breaking Headlines

Targeted individuals's

One Government to rule them all.

Joey Li's IT Zone

Everything about IT

jenyamatya

Unravelling the magik of code...

The Bike Escape

Because Cycling is Life

The Ross Report

Now you know where you need to know more...

Lights in the Dark

A journal of space exploration

Strength Rehabilitation Institute

Bridging the gap between physiotherapy and exercise.

The Ross Report

Now you know where you need to know more...

Little Girl's Mostly Linux Blog

Nothing to see here. Move along...

David Eedle

Geek, tech, programmer, business owner. Serial starter of things. Occasional finisher. Oh, and please don't call me Dave.

%d bloggers like this: