lsass.exe or isass.exe – virus or system file? Find out which process is good and which is evil. Also dli versus dll


Virus and spyware writers are getting more cunning. They are now disguising their viruses to look or sound like Windows system files. Quick quiz: out of the following, which of the files is the spyware (browser hijack), virus (Trojan) and the crucial system file?

  • Isass.exe
  • lsass.exe
  • Win32.exe

Hey, wait a minute, the first two files are the same! Well, they are not. The first starts with the letter capital i (I) and second starts with the letter lowercase l (L). The one starting with i (isass.exe) is a virus/Trojan but Windows users may easily mistake it for the very important security process, lsass.exe (starts with a lowercase L, as in lucky). And yes Win32.exe is a browser hijack program that will keep taking charge of your browser home page.

More to it
Needless to say, you need to be extremely careful that you don't make assumptions when investigating files on your system. The substitution is used in other areas too. The virus, Backdoor.NetDevil, is copied onto a computer with the filename of Kernel.dlI - except that the last letter is a capital i. So, because of the way fonts are displayed, Kernel.dlI (the ending here is .DLI) can look identical the all important Kernel.dll (ending is DLL).

How to properly identify processes As you can see, it is very easy to overlook or confuse the processes running on your system. You can try typing each process into Google, but be careful not to make a mistake. One solution is to try changing your system fonts to a serif font such as Times or Bookman, but that can look a little ugly (a serif is the little curly bit on your letters - it makes Isass.exe look like Isass.exe rather than Isass.exe). Another solution is to get an anti-spyware program that can help identify the nasties.

When searching for problematic files, always be careful about making assumptions. Get to learn what processes are running on your system and check each one. Be suspicious about double entries, particularly if the process has an 'i' in its name. Note: it is common to see multiple entries of svchost.exe and other programs running in several windows such as explorer.exe.