Cleaning the LSASS worm : Part 2

This is a follow-up to an earlier post: Cleaning the LSASS worm : Part 1 Please note that I am not affiliated with any of the software or brands mentioned below, and have found out this method by trial-and-error.

Goals

To remove a specific strand of the LSASS worm manually (with the help of automated software)

Outcomes

We shall remove the worm from the PC, and also attempt to repair the damage it may have caused. You will also get to know a little about how viruses operate.

Tools

Download these tools (we’ll use them):

• ID System Optimizer
• HijackThis
• KillBox
• Process Explorer
• a-Squared Free

What you need to know

You will need to know how to download and install software, and edit the Windows registry without crashing your PC Not too difficult.

Getting Started

First of all, we need to stop the worm from running so that it does not affect our work of removing it. The “lsass” worm operates by infecting various folders and locations on the PC [see below for list]. It then runs continuously in the background, checking if its being tampered with, and carrying out its “purpose”. That’s from the Matrix movie

There are two problems we have to tackle: first, we have to stop the worm from running. But that won’t get rid of it! Because of how it infects the system, even if you successfully end a process called “lsass.exe” [caution here! see below why], the worm will re-launch the next time you re-boot! So secondly, we have to clean the system of all of the worm’s “launch sites”; places where it gets back into the system.

We Begin!

1. Run Process Explorer and kill the task “lsass.exe”. Wait! Be careful not to kill this task that is showing somewhere under the “System Idle Process”. Kill the one under the “explorer.exe” by right-clicking and choosing “Kill Task”. [see image below to clarify the positions of "System Idle Process" and "explorer.exe"]

In addition, if you spot a process called “dllhost.exe” end it also.

2. Go to “Add/Remove Programs” and find anything similar to “MyWebSearch” and uninstall it.

3. Also uninstall Yahoo! messenger for the time being. Don’t worry, once we are done, you may reinstall it.

Careful!

This is the first of the “Careful!” warnings. When you are killing the “lsass.exe” task/process, you will most probably see 2 of these: one is a safe, system process, while the other is the worm. The only thing you have to be careful about is not to end the system process. Just follow the step 1 carefully [don't do what's shown below!].

Even if you end the wrong one, don’t worry, its not that serious. The system will re-boot automatically and we will have lost some time, that’s all.

Disinfection

We shall now start removing the worm.

4. Start Hijackthis and run a scan by clicking on “Do a system scan only”. After the scan is done, you will need to select some entries by clicking on the check-box. They won’t have the exact names as below, but if you see a resemblance, select t:

• F3HTTPCT.dll
• M3IDKE.dll
• M3PLUGIN.dll
• MWSSRCAS.dll
• Anything to do with the Home page of Internet Explorer
• Anything showing “MyWebSearch”
• Anything with “lsass.exe”
• Anything with “dllhost.exe”

After you have selected all the suspicious candidates, click on the “Fix checked” button.

5. We now delete all the related files of the worm in the PC. Run KillBox and browse to the “C:\WINDOWS\System” folder (in Windows XP). Select the “system” folder and click “OK”. [see below if its not clear]

Now type in “lsass.exe” in the “Full path of File to Delete” drop-down box. Click the red “X” button. NB: If you get an error, select the “Delete on reboot” option and reclick the “X” button.

For good measure, type in “dllhost.exe” in the “Full path of File to Delete” drop-down box and click the “X” button (same as above).

Careful!

Again, the warning has to do with the safe “lsass.exe” file. You should be very careful not to select “system32″ instead of “system”

At this point, your PC is hopefully free from all infections of the worm [see below for exceptions]. So the next obvious thing to do after an infection is healing.

Healing

6. We tackle the registry infections now. Start ID System Optimizer. Now navigate through “APPLICATIONS>Regedit>Disable Regedit” [see below for how this will look]

When you click on “Disable Regedit”, a setting called “Enable Regedit” will appear on the right side. This will be turned to “No”. Click on it to make it “Yes” and then click the “Apply Settings” button.

Now that the registry is OK, we need to get into it. So we use ID System Optimizer again, this time to enable the “Run” option and the task manager.

7. Now we navigate to “WINDOWS SYSTEM>System Other Options>Ctrl-Alt-Del Options” and change the “Allow user to run Task Manager” option. Click on it so that it reads “Yes”, and then click on the “Apply Settings” button.

8. Now navigate to “WINDOWS INTERFACE>Start Menu>Show/Hide Items in Start Menu” and set the “Show ‘Run…’ command” setting to “Yes” as shown above. If you see two such settings (a small bug in the version of ID System Optimizer I used), just set both to “Yes”.

9. We also correct the “Folder Options” setting. Navigate to “WINDOWS INTERFACE>Explorer Interface Settings>Explorer Menu Options” and make the “Show ‘Folder options’ command” setting to “Yes” as above.

We now have to restart the system for some of these changes to take effect.

Careful!

If there’s some step done wrongfully, the whole infection will come back! I found this the hard way and had to re-do many of the above steps till I got it right. If there’s any undeleted files related to the worm [see below why this can be] or if you skipped a step, get ready to re-do all of the above after reboot

Destroying the Launch Site

10. We can get to the registry now via the “Run”option. Go to the Start menu and select “Run”. Type in the window that appears, “regedit” and click “OK”.

The registry shall open.

11. Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon

We shall modify 2 values on this key. These values shall be showing on the right side of the two panels of the registry: The “Shell”value and the “UserInit” value.

12. Right-click on the “Shell” and select “Modify”. In the window that opens, you would see a text box called “Value Data” reading “explorer.exe C:\WINDOWS\system\lsass.exe”. Modify it to read ONLY “explorer.exe”. That is, delete the whole “C:\WINDOWS\system\lsass.exe” part.

13. Right-click on the “UserInit” and select “Modify”. In the window that opens, you would see a text box called “Value Data” reading “C:\WINDOWS\system\lsass.exe”. Modify it to read “C:\WINDOWS\system32\userinit.exe“.

Careful!

This is the most important of the cautions! Modifying the registry improperly can cause your PC to become unbootable! With regards to the above keys, if the “Shell” has something missing or incorrect typed in like “explore.exe”, your PC may not boot! So be very careful and follow instruction, checking and double-checking your selections.

Other Strands

Hope this doesn’t confuse anyone, but by strands I mean different versions of the worm. I don’t have the version numbers, hence”strands”. I have encountered another LSASS on a different PC that behaved differently than stated above. In addition to the “lsass.exe” process, it had an additional infected processes showing in the Process Explorer:

• “YMWorm.exe”
• “SVCHOST” from a file in “C:\WINDOWS\System” was tagged as the Task manager
• “svchost” process startup in registry under “all users\run”
• “svchost32″ also from “C:\WINDOWS\System” was tagged as Yahoo! Messenger

Thankfully, these processes can be handled by simply killing them and then using KillBox to type in their names from “C:\WINDOWS\System” and deleting them [see above to refresh your memory on how].

However, there were also these infections:

• In the auto-start folder, there was a short-cut tagged as “msconfig” [The location of the auto-start folder is “C:\Documents and Settings\All Users\Start Menu\Programs\Startup”). So just find this shortcut and delete it.

Because the deletion of these additional processes will (in theory) make all the other infections redundant, so I won’t describe the other infection locations for the sake of tiredness

Unresolved Issues

This tutorial doesn’t solve all the problems (my sister’s PC still has some of its settings wrong). This was just to share my experience with this problem because at that time there was no concise help on removing LSASS, just disjoint information on various forums. However, I believe this tutorial will help get rid of most of the infection and its effects.

Now if you were paying attention, you might have noticed that we have come to the end of the tutorial, and we didn’t even use one of the tools we downloaded! Which one? a-Squared Free. The reason is that I didn’t actually use this software when I first did this. I had some success with a-Squared on another PC that had a similar infection (a different strand of LSASS). Now I can’t tell if it will be successful on this particular strand because was taken care of and my sister didn’t want to re-infect her PC to test out a-Squared! But try it out. Install it, scan your system, and follows its instructions if it finds anything.

Needless to say, a-Squared will only, at most, help in removing the worm, but won’t help in “healing” the infections. That’s where ID System Optimizer is very useful.

Hope this helps, its the best I could do.

Summary of Symptoms

• Internet Explorer’s homepage changed; link to obscene sites
• Your Yahoo! messenger status changed (the message you show beside your name to your friends); link to obscene sites
• The Folder options menu item will not show
• The Registry gets disabled (you can’t open it manually, but other software will still work OK)
• The task manager gets disabled, so if you right-click on the task bar, “Task Manager” will be grayed out. Same if you press “CRTL-ALT-DEL”. The button will be grayed out.
• Later on, when the task manager is working, we shall see that the “New Task” button is also disabled
• The “Run” showing on the Start menu will also disappear.

« HOWTO: Demo CDs of Dynamic JSP Websites

win32:rontokbr-I2 Worm Infection »