Home / malwarePDF  

Trojan:Win32/Lyzapo.A


First posted on 10 July 2009.
Source: SecurityHome

Aliases :

There are no other names known for Trojan:Win32/Lyzapo.A.

Explanation :

Win32/Lyzapo.A is a trojan with two components that cause the affected system to participate in Distributed Denial of Service attacks against remote servers. It also drops a variant of Backdoor:Win32/Mydoom.gen to the system, and may download and execute other arbitrary files.

Symptoms
System changesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>wpcap.dll
    <system folder>Packet.dll
    <system folder>WanPacket.dll
    <system folder>drivers
    pf.sys
    <system folder>
    pptools.dll
    <system folder>wmcfg.exe
    <system folder>wmiconf.dll
  • The absence/removal of the following files:
    <system folder>sysvmd.dll
    <system folder>
    egscm.dll
    <system folder>maus.dl
    <system folder>maus.dl_
    <system folder>infdrmkf.inf
    <system folder>
    tmpsvc.dll
    <system folder>ssdpupd.dll
    <system folder>perfb093.dat
    <system folder>
    etlmgr.dll
  • The presence of the following registry modifications:
    • Under key: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvchost
    Adds value: wmiconf
    With data: "WmiConfig" Under key: HKLMSystemCurrentControlSetServicesWmiConfig
    Adds value: Type
    With data: 0x120
    Adds value: Start
    With data: 0x2
    Adds value: ErrorControl
    With data: 0x1
    Adds value: ImagePath
    With data: "%SystemRoot%system32svchost.exe -k wmiconf"
    Adds value: DisplayName
    With data: "WMI Performance Configuration"
    Adds value: ObjectName
    With data: LocalSystem"
    Adds value: Description
    With data: "Configures and manages performance library information from WMI HiPerf providers." Under key: HKLMSYSTEMCurrentControlSetServicesWmiConfigParameters
    Adds value: ServiceDll
    With data: "<system folder>wmiconf.dll" Under key: HKLMSystemCurrentControlSetServicesWmiConfigSecurity
    Adds value: Security
    With binary data

    Under key: HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost
    Deletes value: secsvcs
    Deletes value: NtmpSvc
    Deletes value: SSDPUPD
    Deletes value: netlman

    Win32/Lyzapo.A is a trojan with two components that cause the affected system to participate in Distributed Denial of Service attacks against remote servers. It also drops a variant of Backdoor:Win32/Mydoom.gen to the system, and may download and execute other arbitrary files.

    Installation
    When executed, TrojanDropper:Win32/Lyzapo.A drops the following files to the <system folder>:wpcap.dll
    Packet.dll
    WanPacket.dll
    drivers
    pf.sys
    npptools.dll
    wmcfg.exe
    wmiconf.dll Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. wmiconf.dll is the DLL component of Trojan:Win32/Lyzapo.A, while wmcfg.exe is a variant of Backdoor:Win32/Mydoom.gen. The other files are clean components of a packet capture and analysis tool. The dropper may use a mutex such as “_MUTEX_AHN_V3PRO_” to avoid more than one copy running at a time. The DLL component is registered as a service with a name such as “WmiConfig” and a display name of "WMI Performance Configuration". In doing so, the following registry entries are created: Under key: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvchost
    Adds value: wmiconf
    With data: "WmiConfig" Under key: HKLMSystemCurrentControlSetServicesWmiConfig
    Adds value: Type
    With data: 0x120
    Adds value: Start
    With data: 0x2
    Adds value: ErrorControl
    With data: 0x1
    Adds value: ImagePath
    With data: "%SystemRoot%system32svchost.exe -k wmiconf"
    Adds value: DisplayName
    With data: "WMI Performance Configuration"
    Adds value: ObjectName
    With data: LocalSystem"
    Adds value: Description
    With data: "Configures and manages performance library information from WMI HiPerf providers." Under key: HKLMSYSTEMCurrentControlSetServicesWmiConfigParameters
    Adds value: ServiceDll
    With data: "<system folder>wmiconf.dll" Under key: HKLMSystemCurrentControlSetServicesWmiConfigSecurity
    Adds value: Security
    With binary data It does not start the service until later (see below). The following shows the service before it has been started:
    Trojan:Win32/Lyzapo.A may use other filenames, such as perfvwr.dll. The service details may also change for different variants. A separate component, also detected as TrojanDropper:Win32/Lyzapo.A drops a file to <system folder>uregvs.nls, before deleting itself. This file may contain a list of servers to target for DDoS attacks.

    Payload
    Downloads and executes arbitrary filesTrojanDropper:Win32/Lyzapo.A periodically contacts one of a number of servers, which may include the following:
  • 216.199.83.203
  • 213.23.243.210
  • 213.33.116.41
    • These may respond with a file, which it may save to disk. If this is successful, it starts the Trojan:Win32/Lyzapo.A service (if it has not done so already) and then executes the file. Terminates services, deletes files and removes registry entriesTrojanDropper:Win32/Lyzapo.A may attempt to terminate and delete the following services:
  • sysvmd
  • NtmpSvc
  • SSDPUPD
  • netlmgr
    • It also removes the following registry entries associated with these services: Under key: HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost
    Deletes value: secsvcs
    Deletes value: NtmpSvc
    Deletes value: SSDPUPD
    Deletes value: netlman It attempts to delete the following related files from the <system folder>: sysvmd.dll
    regscm.dll
    maus.dl
    maus.dl_
    infdrmkf.inf
    ntmpsvc.dll
    ssdpupd.dll
    perfb093.dat
    netlmgr.dll Participates in distributed denial of service attacksOnce its service is started, Trojan:Win32/Lyzapo.A monitors the <system folder> for the presence of uregvs.nls, and, if found, will participate in DDoS attacks against servers listed in the file. It does so by sending multiple HTTP GET or POST requests to the targeted servers. Files observed at the time of publication generally targeted US and South Korean owned servers, including the following: www.president.go.kr
    www.mnd.go.kr
    www.mofat.go.kr
    www.assembly.go.kr
    www.usfk.mil
    blog.naver.com
    mail.naver.com
    banking.nonghyup.com
    ezbank.shinhan.com
    ebank.keb.co.kr
    www.hannara.or.kr
    www.chosun.com
    www.auction.co.kr
    www.whitehouse.gov
    www.faa.gov
    www.dhs.gov
    www.state.gov
    www.voanews.com
    www.defenselink.mil
    www.nyse.com
    www.nasdaq.com
    finance.yahoo.com
    www.usauctionslive.com
    www.usbank.com
    www.washingtonpost.com
    www.ustreas.gov
    www.state.gov
    www.dot.gov
    www.ftc.gov
    www.nsa.gov
    www.usps.gov
    www.yahoo.com
    travel.state.gov
    www.nasdaq.com
    www.site-by-site.com
    www.marketwatch.com
    www.amazon.com


    Analysis by David Wood

    Last update 10 July 2009

     

    TOP

    Malware :

    Family: