Ran across a piece of malware today (known as Ixu.100 to TrojanHunter) that drops itself as C:\lsass.exe. One side effect of this, and undoubtedly one of the reasons for chosing the lsass.exe name, is that naming the trojan file this way makes it unkillable in Windows Task Manager. Here is what you see when you try to kill the trojan process in Task Manager:

Imagine you’re trying to manually clean a trojan from a system and you run into this dialog box when trying to terminate its process. Scary, right? You’d probably assume that you’ve run into a rootkit that is hooking the process termination functions to prevent itself being killed. The truth is however not quite so nefarious. You see, Task Manager contains a few hardcoded process names that it will refuse to terminate. This is meant to stop users from terminating critical system processes. The list of processes that Task Manager will refuse to kill is the following:

• lsass.exe
• csrss.exe
• smss.exe

You can try this yourself. Simply make a copy of notepad (located at C:\Windows\notepad.exe) and rename it smss.exe. Then start it and try to kill it using Task Manager. You will get the dialog box displayed above.

The problem with this, of course, is that Task Manager does not check the full path of the executable. So instead of only preventing processes whose image path is C:\Windows\system32\csrss.exe from being killed, it will refuse to kill any file named csrss.exe.

The solution is to use an alternate process viewer tool to kill the process. The Process Viewer included in TrojanHunter will do this, or you can use the excellent Process Explorer from Microsoft to do the job.