Home / malwarePDF  

Trojan.Laziok


First posted on 12 February 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Laziok.

Explanation :

Once executed, the Trojan creates the following files:
%Windir%\explorer\smss.exe%UserProfile%\Application Data\System\Oracle\azioklmpx\hzid\hzid.txt%UserProfile%\Application Data\System\Oracle\smss.exe%UserProfile%\Application Data\System\Oracle\azioklmpx\search.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\ati.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\lsass.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\smss.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\admin.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\key.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\taskmgr.exe%UserProfile%\Application Data\System\Oracle\azioklmpx\chrome.exe
The Trojan then creates the following registry entries so that it runs every time Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Windows" = "%UserProfile%\Application Data\System\Oracle\smss.exe"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows" = "%Windir%\explorer\smss.exe"
Next, the Trojan connects to the following remote location in order to retrieve URLs from which it will download potentially malicious files:
94.156.77.75
The Trojan may save the potentially malicious files to the following locations:
%UserProfile%\Application Data\System\Oracle\azioklmpx\search.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\ati.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\lsass.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\smss.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\admin.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\key.exe %UserProfile%\Application Data\System\Oracle\azioklmpx\taskmgr.exe%UserProfile%\Application Data\System\Oracle\azioklmpx\chrome.exe
The Trojan may also gather the following information from the compromised computer and send it to the attacker:
Computer nameAmount of RAM installedHard disk sizeSecurity software installedCPU and GPU detailsWhether or not Steam is installedWhether or not Origin is installedWhether or not Java is installedWhether or not the .Net Framework is installed

Last update 12 February 2015

 

TOP