lsass.exe a system file or a virus?

Virus and spywares are now disguising  to look like a windows system files. Thats also the reason why it is hard to locate a virus because they look like a system file. Tell me which of the following below is a spyware and a system file?

  • Isass.exe
  • lsass.exe
  • Win32.exe

Hey, wait a minute, the first two files are the same! Well, they are not. The first starts with the letter capital i (I) and second starts with the letter lowercase l (L). The one starting with i (isass.exe) is a virus/Trojan but Windows users may easily mistake it for the very important security process, lsass.exe (starts with a lowercase L, as in lucky). And yes Win32.exe is a browser hijack program that will keep taking charge of your browser home page.

You need to be extremely careful that you don’t make assumptions when investigating files on your system. The substitution is used in other areas too. The virus, Backdoor.NetDevil, is copied onto a computer with the filename of Kernel.dlI – except that the last letter is a capital i. So, because of the way fonts are displayed, Kernel.dlI (the ending here is .DLI) can look identical the all important Kernel.dll (ending is DLL).

How to properly identify processes
As you can see, it is very easy to overlook or confuse the processes running on your system. You can try typing each process into Google, but be careful not to make a mistake. One solution is to try changing your system fonts to a serif font such as Times or Bookman, but that can look a little ugly (a serif is the little curly bit on your letters – it makes Isass.exe look like Isass.exe rather than Isass.exe). Another solution is to get an anti-spyware program that can help identify the nasties.

When searching for problematic files, always be careful about making assumptions. Get to learn what processes are running on your system and check each one. Be suspicious about double entries, particularly if the process has an ‘i’ in its name. Note: it is common to see multiple entries of svchost.exe and other programs running in several windows such as explorer.exe.