Thread: Why does email run Lsass.exe (ell, not cap eye)?
View Single Post
  #11  
Old October 1st 09, 01:39 PM posted to microsoft.public.windows.inetexplorer.ie6_outlookexpress,microsoft.public.windowsxp.general
o
external usenet poster
  
Posts: 161
Default Why does email run Lsass.exe (ell, not cap eye)?

"nate hudgen" wrote in message
...

"WhatsUp31415" wrote in message
...
When we[*] open a particular email in Outlook Express, it apparently
causes Lsass.exe (with ell, not eye) to run.

Any idea why?

It causes an alleged Norton Internet Security pop-up asking for
confirmation to allow Lsass.exe to access the Internet. (Actually, I
think it is to allow an incoming login request.) I say "alleged" because
the only choice is "allow always". It seems unusual to have only the one
choice, not also "disallow". That piques my suspicion.

When I look at the text of the message in plain ASCII (i.e. Message
Source), it looks benign to me. It does have an HTML part; but I do not
find any explicit reference to any EXE file, much less Lsass.exe. (I did
a Find in Notepad.) However, I do not know HTML very well; I might have
overlooked some other mechanism that would trigger a remote login
attempt.

(What should I look for?)

(Also, I was unable to look at the original mail headers because they are
stripped when OE forwards email .)

I know that isass.exe (usually cap eye) is considered to be a trojan
horse. But my understanding is that Lsass.exe (usually lowercase ell) is
a Windows service, namely the Local Security Authentication Server [sic],
according to some web pages.

We did a file search and confirmed that isass.exe (with eye) does not
exist, whereas Lsass.exe (with ell) does.

The system does have multiple user accounts; I assume that Lsass.exe is
invoked when we login. But I still do not understand what could cause an
incoming login request in that email.

FYI, the email is a legitimate response to email that we[*] sent. But
of course, that does not rule the possibility that the sender's system is
infected, and a trojan horse was attached to legitimate outgoing email.

Anyway, any thoughts would be appreciated. Namely:

1. Am I correct to be suspicious and to trash the email?

2. Or should I allow Lsass.exe to access the Internet?

3. And if #2, please let me know why; that is, what is going on?


[*] "We" is really my computer-illiterate mother. I am trying to
troubleshoot this from 400 miles away. It's a struggle . Her PC has
Win XP and OE 6. I believe Win XP is SP2, but it might be SP1.
Ads