Home / malware TrojanDropper:Win32/Lisfel.A
First posted on 06 October 2012.
Source: MicrosoftAliases :
There are no other names known for TrojanDropper:Win32/Lisfel.A.
Explanation :
TrojanDropper:Win32/Lisfel.A is a malicious program that drops other Lisfel components.
Installation
TrojanDropper:Win32/Lisfel.A may arrive in your computer via malware that exploit the vulnerability described in CVE-2012-4969, such as Exploit:Win32/CVE-2012-4969.A.
Payload
Installs other Lisfel components
TrojanDropper:Win32/Lisfel.A installs the following files:
- user.dll - detected as TrojanDropper:Win32/Lisfel.B
- wlupdate.exe - detected as TrojanDropper:Win32/Lisfel.C
It also creates the following files in the same folder:
- tmp
- lisfl.dll
TrojanDropper:Win32/Lisfel.A then modifies the registry to run its dropped component every time Windows starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Kris"
With data: "<folder>\wlupdate.exe"
where <folder> is the folder where TrojanDropper:Win32/Lisfel.A chooses to install its components.
Connects to a remote server
TrojanDropper:Win32/Lisfel.A launches a hidden web browser window to access the server "receo.konkuk.ac.kr", presumably to direct traffic to this server.
Analysis by Chun Feng
Last update 06 October 2012
