Remove Malware LCASS.EXE

LCASS.EXE is associated with the malware groups Cloaked Malware, System Back Door, Malicious Software.

LCASS.EXE has been seen to perform the following behavior :

  • Adds a Registry Key (RUN) to auto start Programs on system start up
  • This process creates other processes on disk
  • Executes a Process
  • Writes to another Process’s Virtual Memory (Process Hijacking)
  • This Process Deletes Other Processes From Disk
  • Creates a TCP port which listens and is available for communication initiated by other computers
  • Looks at the contents of the autoexec.bat file
  • Reads email address and phone book details
  • Uses DNS to retrieve the IP address for web sites
  • Uses your PC to connect to Chat rooms
  • Found on infected systems and resists interrogation by security products
  • Can make outbound communication to other computers, IM chat rooms and other services using IRC protocols
  • This Process Disables Other Security Products
  • This Process Contains User Mode Rootkit Functionality and can hide itself from the running process list
  • The Process is packed and/or encrypted using a software packing process
  • Executes Processes stored in Temporary Folders
  • The Process is polymorphic and can change its structure

LCASS.EXE has been the subject of the following behavior:

  • Added as a Registry auto start to load Program on Boot up
  • Created as a process on disk
  • Has code inserted into its Virtual Memory space by other programs
  • Executed as a Process
  • Copied to multiple locations on the system
  • Deleted as a process from disk
  • Terminated as a Process
  • Created as a new Background Service on the machine
  • Executed from Temporary Folders
  • Registered as a Dynamic Link Library File

LCASS.EXE can also use the following file names:

  • 94349093.DAT
  • 85516615.EXE
  • 88635257.EXE
  • 37779156.EXE
  • WH674EW7H47H.EXE
  • 15439842.EXE
  • 81972445.EXE

The following file size has been seen:

  • 104,498 bytes
  • 263,232 bytes
  • 491,548 bytes
  • 193,024 bytes
  • 9,728 bytes
  • 188,928 bytes

Files with the name LCASS.EXE have been seen to have the following Vendor, Product and Version Information in the file header:

  • Miorosoft; ?????; 1.00.0185
  • Miorosoft; ?????; 1.00.0185
  • Miorosoft; ?????; 1.00.0199
  • Usb Brower; ?????; 1.00.0032
  • Usb Brower; 9fbae7a180e7b1bbe7a88be5ba8fM0; 1.00.0032

One or more files with the name LCASS.EXE creates, deletes, copies or moves the following files and folders:

Opens/modifes c:\autoexec.bat

One or more files with the name LCASS.EXE creates or modifies the following registry keys and values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run LCASS lcass.exe

One or more files with the name LCASS.EXE performs the following network events:

DNS Lookup213.251.161.68

One or more files with the name LCASS.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

TCP: Port:17


  • Remove LCASS.EXE from memory. Use Task Manager, select LCASS, click End Process
  • Remove LCASS.EXE following files from autoexec.bat, registry keys
  • Remove LCASS.EXE file from Recycle Bin, %SystemRoot%\system32
  • Restart PC