Home / malware Backdoor:Win32/Lisfel.C
First posted on 24 October 2012.
Source: MicrosoftAliases :
Backdoor:Win32/Lisfel.C is also known as Win-Trojan/Lisfel.66048 (AhnLab).
Explanation :
Backdoor:Win32/Lisfel.C is a backdoor trojan that loads other malware which may be used by a remote attacker to gain unauthorized access and control of your computer. It is dropped by TrojanDropper:Win32/Lisfel.A.
Installation
Backdoor:Win32/Lisfel.C is dropped by TrojanDropper:Win32/Lisfel.A to a folder that it selects based upon specific rules contained in its code.
In the wild, we have observed it dropped with the file name "wlupdate.exe".
TrojanDropper:Win32/Lisfel.A modifies the following registry entry to ensure that Backdoor:Win32/Lisfel.C runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Kris"
With data: "<folder>\wlupdate.exe", for example "<folder>\wlupdate.exe"
Payload
Loads other malware
When run, Backdoor:Win32/Lisfel.C loads the dropped DLL file "user.dll", which was dropped by TrojanDropper:Win32/Lisfel.A and is detected as Backdoor:Win32/Lisfel.B.
It then deletes TrojanDropper:Win32/Lisfel.A.
Additional information
TrojanDropper:Win32/Lisfel.A, Backdoor:Win32/Lisfel.B, and Backdoor:Win32/Lisfel.C all work together to infect your computer and deliver the payload which allows backdoor access and control. If you are infected with one of these components, then it is likely you are infected with the other components as well. For more information on how these infections work together, please see their individual entries.
Related encyclopedia entries
Backdoor:Win32/Lisfel.B
TrojanDropper:Win32/Lisfel.A
Analysis by Chun Feng
Last update 24 October 2012
