blacksun-networks
asked on
What is "xplsass.exe" ?
Ok, lots and lots of info on lsass, but this is not lsass.
Recently had what looked like a virus or worm infection on the network... lots and lots of traffic going out the gateway untill it killed the entire switch. We were in the middle of a migration from Symantec to AVG so thought maybe we had out of date clients or whatever.
Many many hours of isolation and monitoring later and we find that the machines chattering the loudest all seem to have an application running called xplsass.exe. Some machines were running 2 copies. In some cases xplsass was using 99% processor and making the machine effectively unusable.
Each machine that was using xplsass was pounding on the gateway at about +/- 35Kb/Sec per instance of xplsass. The traffic was all listed as designated for the gateway IP, MAC address FF-FF-FF-FF-FF-FF.
Virus scans do not pick up xplsass as a virus.
Deleting xplsass and restarting the machine and logging in seems to eliminate the traffic with no problems, the actuall lsass is running normally.
My concern is that I am deleting this file from the system32 folder and don't know what the heck it is.... nothing on google, experts-exchange, microsoft or msdn.
All the machines are Windows XP, SP1.
Looking forward to any help.
Recently had what looked like a virus or worm infection on the network... lots and lots of traffic going out the gateway untill it killed the entire switch. We were in the middle of a migration from Symantec to AVG so thought maybe we had out of date clients or whatever.
Many many hours of isolation and monitoring later and we find that the machines chattering the loudest all seem to have an application running called xplsass.exe. Some machines were running 2 copies. In some cases xplsass was using 99% processor and making the machine effectively unusable.
Each machine that was using xplsass was pounding on the gateway at about +/- 35Kb/Sec per instance of xplsass. The traffic was all listed as designated for the gateway IP, MAC address FF-FF-FF-FF-FF-FF.
Virus scans do not pick up xplsass as a virus.
Deleting xplsass and restarting the machine and logging in seems to eliminate the traffic with no problems, the actuall lsass is running normally.
My concern is that I am deleting this file from the system32 folder and don't know what the heck it is.... nothing on google, experts-exchange, microsoft or msdn.
All the machines are Windows XP, SP1.
Looking forward to any help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Have confirmed from AVG virus engineer that this is a new variant to the backdoor.wootbot virus. The defs will reflect the new variant tongiht.
Process File: lsass or lsass.exe
Process Name: Local Security Authority Service
Description:
lsass.exe is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. Note: lsass.exe also relates to the W32/Windang.worm which spread via floppy disk drives. Please review file path for clarification of this.