Home / malwarePDF  

TrojanDropper:Win32/Lyzapo.A


First posted on 10 July 2009.
Source: SecurityHome

Aliases :

There are no other names known for TrojanDropper:Win32/Lyzapo.A.

Explanation :

Win32/Lyzapo.A is a trojan with two components that cause the affected system to participate in Distributed Denial of Service attacks against remote servers. It also drops a variant of Backdoor:Win32/Mydoom.gen to the system, and may download and execute other arbitrary files. Please see the Trojan:Win32/Lyzapo.A encyclopedia entry for a detailed analysis of this threat.

Symptoms
System changesThe following system changes may indicate the presence of this malware:

  • The presence of the following files:
    <system folder>wpcap.dll
    <system folder>Packet.dll
    <system folder>WanPacket.dll
    <system folder>drivers
    pf.sys
    <system folder>
    pptools.dll
    <system folder>wmcfg.exe
    <system folder>wmiconf.dll
  • The absence/removal of the following files:
    <system folder>sysvmd.dll
    <system folder>
    egscm.dll
    <system folder>maus.dl
    <system folder>maus.dl_
    <system folder>infdrmkf.inf
    <system folder>
    tmpsvc.dll
    <system folder>ssdpupd.dll
    <system folder>perfb093.dat
    <system folder>
    etlmgr.dll
  • The presence of the following registry modifications:
    • Under key: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvchost
    Adds value: wmiconf
    With data: "WmiConfig" Under key: HKLMSystemCurrentControlSetServicesWmiConfig
    Adds value: Type
    With data: 0x120
    Adds value: Start
    With data: 0x2
    Adds value: ErrorControl
    With data: 0x1
    Adds value: ImagePath
    With data: "%SystemRoot%system32svchost.exe -k wmiconf"
    Adds value: DisplayName
    With data: "WMI Performance Configuration"
    Adds value: ObjectName
    With data: LocalSystem"
    Adds value: Description
    With data: "Configures and manages performance library information from WMI HiPerf providers." Under key: HKLMSYSTEMCurrentControlSetServicesWmiConfigParameters
    Adds value: ServiceDll
    With data: "<system folder>wmiconf.dll" Under key: HKLMSystemCurrentControlSetServicesWmiConfigSecurity
    Adds value: Security
    With binary data

    Under key: HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost
    Deletes value: secsvcs
    Deletes value: NtmpSvc
    Deletes value: SSDPUPD
    Deletes value: netlman

    Win32/Lyzapo.A is a trojan with two components that cause the affected system to participate in Distributed Denial of Service attacks against remote servers. It also drops a variant of Backdoor:Win32/Mydoom.gen to the system, and may download and execute other arbitrary files. Please see the Trojan:Win32/Lyzapo.A encyclopedia entry for a detailed analysis of this threat.

    Last update 10 July 2009

     

    TOP

    Malware :

    Family: