catatanku di website

LCASS.EXE is associated with the malware groups Cloaked Malware, System Back Door, Malicious Software.

LCASS.EXE has been seen to perform the following behavior :

• Adds a Registry Key (RUN) to auto start Programs on system start up
• This process creates other processes on disk
• Executes a Process
• Writes to another Process’s Virtual Memory (Process Hijacking)
• This Process Deletes Other Processes From Disk
• Creates a TCP port which listens and is available for communication initiated by other computers
• Looks at the contents of the autoexec.bat file
• Reads email address and phone book details
• Uses DNS to retrieve the IP address for web sites
• Uses your PC to connect to Chat rooms
• Found on infected systems and resists interrogation by security products
• Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
• This Process Disables Other Security Products
• This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
• The Process is packed and/or encrypted using a software packing process
• Executes Processes stored in Temporary Folders
• The Process is polymorphic and can change its structure

LCASS.EXE has been the subject of the following behavior:

• Added as a Registry auto start to load Program on Boot up
• Created as a process on disk
• Has code inserted into its Virtual Memory space by other programs
• Executed as a Process
• Copied to multiple locations on the system
• Deleted as a process from disk
• Terminated as a Process
• Created as a new Background Service on the machine
• Executed from Temporary Folders
• Registered as a Dynamic Link Library File

LCASS.EXE can also use the following file names:

• REWT.EXE
• 94349093.DAT
• 85516615.EXE
• 88635257.EXE
• 37779156.EXE
• WH674EW7H47H.EXE
• 15439842.EXE
• 81972445.EXE

The following file size has been seen:

• 104,498 bytes
• 263,232 bytes
• 491,548 bytes
• 193,024 bytes
• 9,728 bytes
• 188,928 bytes

Files with the name LCASS.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

• Miorosoft; ?????; 1.00.0185
• Miorosoft; ?????; 1.00.0185
• Miorosoft; ?????; 1.00.0199
• Usb Brower; ?????; 1.00.0032
• Usb Brower; 9fbae7a180e7b1bbe7a88be5ba8fM0; 1.00.0032

One or more files with the name LCASS.EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:autoexec.bat

One or more files with the name LCASS.EXE creates or modifies the following registry keys and values:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun LCASS lcass.exe

One or more files with the name LCASS.EXE performs the following network events:

DNS Lookup213.251.161.68 rage.hackparty.com

One or more files with the name LCASS.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP:213.251.161.68:81 Port:17

Remove

• Remove LCASS.EXE from memory. Use Task Manager, select LCASS, click End Process
• Remove LCASS.EXE following files from autoexec.bat, registry keys
• Remove LCASS.EXE file from Recycle Bin, %SystemRoot%system32
• Restart PC

Search Engine Visit :