Remove Malware LCASS.EXE

July 19, 2009 by ariefew
Filed under: Virus
Social Bookmark |

LCASS.EXE is associated with the malware groups Cloaked Malware, System Back Door, Malicious Software.

LCASS.EXE has been seen to perform the following behavior :

Adds a Registry Key (RUN) to auto start Programs on system start up
This process creates other processes on disk
Executes a Process
Writes to another Process’s Virtual Memory (Process Hijacking)
This Process Deletes Other Processes From Disk
Creates a TCP port which listens and is available for communication initiated by other computers
Looks at the contents of the autoexec.bat file
Reads email address and phone book details
Uses DNS to retrieve the IP address for web sites
Uses your PC to connect to Chat rooms
Found on infected systems and resists interrogation by security products
Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
This Process Disables Other Security Products
This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
The Process is packed and/or encrypted using a software packing process
Executes Processes stored in Temporary Folders
The Process is polymorphic and can change its structure

LCASS.EXE has been the subject of the following behavior:

Added as a Registry auto start to load Program on Boot up
Created as a process on disk
Has code inserted into its Virtual Memory space by other programs
Executed as a Process
Copied to multiple locations on the system
Deleted as a process from disk
Terminated as a Process
Created as a new Background Service on the machine
Executed from Temporary Folders
Registered as a Dynamic Link Library File

LCASS.EXE can also use the following file names:

REWT.EXE
94349093.DAT
85516615.EXE
88635257.EXE
37779156.EXE
WH674EW7H47H.EXE
15439842.EXE
81972445.EXE

The following file size has been seen:

104,498 bytes
263,232 bytes
491,548 bytes
193,024 bytes
9,728 bytes
188,928 bytes

Files with the name LCASS.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

Miorosoft; ?????; 1.00.0185
Miorosoft; ?????; 1.00.0185
Miorosoft; ?????; 1.00.0199
Usb Brower; ?????; 1.00.0032
Usb Brower; 9fbae7a180e7b1bbe7a88be5ba8fM0; 1.00.0032

One or more files with the name LCASS.EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:autoexec.bat

One or more files with the name LCASS.EXE creates or modifies the following registry keys and values:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun LCASS lcass.exe

One or more files with the name LCASS.EXE performs the following network events:

DNS Lookup213.251.161.68 rage.hackparty.com

One or more files with the name LCASS.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:213.251.161.68:81 Port:17

Remove

Remove LCASS.EXE from memory. Use Task Manager, select LCASS, click End Process
Remove LCASS.EXE following files from autoexec.bat, registry keys
Remove LCASS.EXE file from Recycle Bin, %SystemRoot%system32
Restart PC