A new twist on W32.Spybot.Worm and Windows (XP) file lsass.exe ?

By biscuit
Dec 10, 2005
  1. I've read a lot of the threads about possible viruses and am now wondering if a new-ish variant of W32spybot isn't just getting started. I was hit with W32.Spybot.Worm after doing a very foolish thing. Three days ago I downloaded -but didn't install- a replacement Beta MicrosoftAntiSpy. This was after reformatting my laptop hard drive, reinstalling Win XP, setting the Norton firewall and AV configs, downloading updates, and installing other clean programs. In my haste to get my computer back up to speed I didn't go directly to MS for the antispy program... I know, shame on me... a first in 24 years of computing, and a big oops, as it turns out.

    I unzipped and ran the setup for the program this AM and was immediately alerted to the presence of this worm. A NAV scan found 24 instances of it, 23 of them in the Microsoft Antispy program folder. I followed Symantec's recommendations for deleting the files and registry entries, got rid of the program, re-scanned and found only the one file still intact. It traces to WINDOWS/lsass.exe, and can't be fixed. My online research finds no references to the worm identified by this exact filename. I have found, on this site and others, several mentions of attacks tracked to lsasss.exe (an extra s), lsassz.exe (an added z), and saw both spellings with and without the capital L, but I find absolutely nothing about the worm masquerading as lsass.exe. Symantec's instruction for deleting registry entries for the lsasss and lsassz (and other w32spybot variants) don't jive with my Service registry folders, so I stopped to research it more. I've already had to reboot from Safe once, and revert another time to an earlier config that was more stable.

    Forgive my lengthy post but it seems from all I've read that this strain, whether it's new or not, is quite resistant, and the more information we share, the sooner a fix is possible. Unlike others posting on this site about a similar problem, I CAN access Task Manager (so far) but of course can't delete the lsass.exe processing. I've rebooted twice and won't do it again until I move intact zipped programs and files to an external hard drive for safekeeping. The lsass file size doubled almost right away after I highlighted it in TM and clicked delete; it's humming right along, gulping CPU and memory. I may have TM available whereas other people don't but I do experience two things that others aren't writing about. At startup, as fast as Windows opens I get a 'Network Connection' notice (definitely not a Norton alert) that 'you or a program has requested to connect to', and 'which connection do you want to use'. Action choices are 'connect' and 'cancel', along with a box I can check that says 'don't ask again until the next startup'. The second thing that happens immediately after startup is a Norton Firewall alert asking if I want to allow WINDOWS/lsass.exe to access the internet; the threat risk is LOW. Fortunately my firewall is set to block all outgoing and incoming on all ports until I temporarily unblock a program for use and plug in the modem. I was suspicious when an executable file that I'd twice set at 'always block' was somehow unblocking its setting and trying to connect again.

    I'll continue reading your advise to other posters and try those solutions. But I do want to say that this doesn't seem like the good-old W32.spybot.Worm that we've heard about. Something is just too weird, considering it isn't recognized by AV programs yet. Any feedback is welcome!
  2. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 6,503

    Thanks for the warning.
    While you are saving your personal data, before you 'fix/repair/reinstall', disconnect your PC physically from the internet. You don't know what the Trojan is transmitting!
  3. biscuit

    biscuit TS Rookie Topic Starter

    Update: A new twist on W32.Spybot.Worm and Windows (XP) file lsass.exe ?

    Hooray, good news! Eliminated that rotten file. It isn't a worm, despite the word being in its name, but a virus. Failed repeatedly to delete it until I ran HJT (a grand program, btw) and deleted it that way. That didn't actually delete it but I gained access by doing that first. Then I was able to remove it from registry and admin tools/ services. When I did so (recall that it was C:\Windows\lsass.exe) the legit file returned to the TM process list. The true name of the actual file is Windows\system32\lsass.exe. Bless HJT! I located the properties of the phony file and it was set to reload indefinitely upon every failure to start, and to start before windows loaded. What a mess. After I deleted it successfully I was able to find its two trojans and disable them; will delete after I look at them a bit more. One trojan was disguised as yet another legit file, Norton's CCapp. It's bad news when these critters can move legit and necessary files and replace them with itself. Nasty business.

    I downloaded all the programs you listed in a couple READ: threads and like them all. I found one trojan and Spybot Search & Destroy found the other one. Neither of them registered until the lsass.exe was deleted though; I thought that odd. Now I think I'll try to locate the site that I downloaded the Microsoft file from and turn it in to MS. Thanks for your email; yes, the first thing I do at the sign of trouble is unhook everything from the computer except the mouse and power cord to prevent anything being sent out. I don't drink beer, but will toast you with a scotch if that's OK.
  4. forednz

    forednz TS Rookie

    simular problems

    i think i also have a varient of this virus. it started from p2p. downloading a file i should have been more carefull about. my anti virus stoped so i formatted the drive and reinstalled windows with a new mbr and when started the pc is very slow. i installed a copy of 2005 nortons and it picked up nothing even with a boot from nortons cd.earlier online scans at mcafee told me i had these virus w32.spybot.worm, download trojan, spyware.e2give, medload, netoptimizer, adware.cdt, goaway.trojan. since the format i am having alot of trouble with removeable drives etc .also windows update plays up and causes my pc to shut down giving me 60 seconds.i have tried a total reboot with new mbr even left the pc battery out all night to try and wipe memory before format to no evail. i can open task manager but cannot close some programs including messanger from starting at startup.also get a generic process form win32 trying to connect to the internet no matter what i tell nortons to do with it the same process comes back through nortons firewall and asks for access. Did you manage to sort your pc out as i would like to know how thanks
  5. biscuit

    biscuit TS Rookie Topic Starter


    Sorry to hear you have this ornery virus. The only way I found to completely eliminate it was to wipe the disk before re-installing OS. Since this virus apparently loads at bootup, and before Windows, it isn't enough to format or install a fresh copy of the OS on the drive. I used a 3-pass wipe that also allowed me to erase SYS files... not all products erase SYS or hidden files, and you may need one that will. Darik's Boot and Nuke (DBAN), recommended elsewhere on this website, would work well too. DBAN was a miracle cure for ridding a hard drive of Norton's rotten GoBack too. Good luck!
    - Biscuit
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...