First posted on 31 August 2007.
Source: SecurityHome
Trojan-Spy:W32/Lydra.DT is also known as Trojan-Spy.Win32.Lydra.dt, Spy-Wokiscan trojan.
Trojan-Spy:W32/Lydra.DT is a spying trojan that monitors user activities in the infected machine.
Trojan-Spy:W32/Lydra.DT is a spying trojan that monitors user activities in the infected machine.
It stays active in Windows memory and starts keylogging (recording keyboard and mouse inputs). It stores the recorded keystrokes data and computer hardware and software information for later submission and sends it to the malware author via email.
It creates these files upon execution,
* %windir%mui
ctfd.sys
* %windir%syswin.exe
* %windir%lsassv.exe
* %windir%msrpc.exe
* %windir%calc.exe
* %windir%
egedit2.exe
* %allusersprofile%Start MenuProgramsStartupAdobeGammaLoader.scr
It also modifies some Windows files found in the %windir% folder.
Adds itself as a system service and puts multiple registry run entries to execute itself when the system starts.
Changes to the registry follows:
* HKLMSOFTWAREClassesCLSID{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}
ThisEXE = %cwd%wokiscan.exe
* HKLMSOFTWAREClassesCLSID{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}
VerProg = 0000009B
* HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
syswin = c:windowssyswin.exe
* HKCUSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
syswin = c:windowssyswin.exe
* HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServices
syswin = c:windowssyswin.exe
* HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun
lsassv = c:windowslsassv.exe
* HKLMSOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
msrpc = c:windowsmsrpc.exe
* HKLMSYSTEMCurrentControlSetServicessyswin
DependOnGroup =
* HKLMSYSTEMCurrentControlSetServicessyswin
DependOnService = RpcSs
* HKLMSYSTEMCurrentControlSetServicessyswin
Description = This service manages TCP/IP packets at Internet
* HKLMSYSTEMCurrentControlSetServicessyswin
DisplayName = TCPIP route manager
* HKLMSYSTEMCurrentControlSetServicessyswin
Group = PlugPlay
* HKLMSYSTEMCurrentControlSetServicessyswin
ObjectName = LocalSystem
* HKLMSYSTEMCurrentControlSetServicessyswin
ImagePath = c:windowssyswin.exe
* HKLMSYSTEMCurrentControlSetServicessyswin
ErrorControl = 00000001
* HKLMSYSTEMCurrentControlSetServicessyswin
PlugPlayServiceType = 00000003
* HKLMSYSTEMCurrentControlSetServicessyswin
Start = 00000002
* HKLMSYSTEMCurrentControlSetServicessyswin
Type = 00000120
* HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
%cwd%wokiscan.exe = %cwd%wokiscan.exe:*:Enabled:System Update
Trojan-Spy:W32/Lydra.DT also collects email addresses found in files with pre-defined name extensions from the infected machine's available drives. It is also able to terminate security related processes and services.
It uses either its built-in SMTP engine or MAPI to send the encrypted stolen information via email.
smtp server : smtp.mail.ru
email address : johnhayward843@yahoo.co.uk and nfd984@rambler.ru
Last update 31 August 2007
TOP