Home / malwarePDF  

Trojan:Win32/Lisiu.A


First posted on 28 April 2010.
Source: SecurityHome

Aliases :

Trojan:Win32/Lisiu.A is also known as Win-Trojan/AVKiller.36864 (AhnLab), Trojan.Win32.KillAV.fev (Kaspersky), TR/Killav.fev.4 (Avira), Win32/KillAV.PW (CA), Trojan.AVKill.1318 (Dr.Web), Win32/KillAV.NHA (ESET), Trojan.Win32.Killav (Ikarus), Lisiu (McAfee), TROJ_KILLAV.AJM (Trend Micro).

Explanation :

Trojan:Win32/Lisiu.A is a trojan that can terminate certain system processes. It usually arrives in the computer by being dropped by TrojanDropper:Win32/Lisiu.A in the Windows system folder.
Top

Trojan:Win32/Lisiu.A is a trojan that can terminate certain system processes. It usually arrives in the computer by being dropped by TrojanDropper:Win32/Lisiu.A in the Windows system folder. Installation Trojan:Win32/Lisiu.A may be dropped by TrojanDropper:Win32/Lisiu.A as the following files:

  • <system folder>\mswsock32.dll
  • <system folder>\imedllhost09.ime
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. It may create or modify (if they exist) the following registry entries, in effect installing its components: Adds value: "Ime File" With data: "imedllhost09.ime" To subkey: HKLM\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804 Adds value: "2" With data: "e0200804" To subkey: HKCU\Keyboard Layout\Preload Adds value: "1001" With data: "<system folder>\mswsock.dll" To subkey: HKLM\SYSTEM\Setup\AllowStart\SPI_Pause Trojan:Win32/Lisiu.A creates the following mutex to ensure only one instance of itself is running in memory:
  • __ssav
    • Payload Terminates processes Trojan:Win32/Lisiu.A terminates the following processes and removes their corresponding services from the system registry:
  • 360deepscan.exe
  • 360safe.exe
  • 360tray.exe
  • alg.exe
  • avp.exe
  • ccenter.exe
  • ccsvchst.exe
  • dsmain.exe
  • egui.exe
  • ekrn.exe
  • hwapi.exe
  • krnl360svc.exe
  • mcagent.exe
  • mclogcln.exe
  • mcnasvc.exe
  • mcods.exe
  • mcpromgr.exe
  • mcregist.exe
  • mcshield.exe
  • mcsvrcnt.exe
  • mcsysmon.exe
  • mctskshd.exe
  • mcupdmgr.exe
  • mcupdui.exe
  • mcusrmgr.exe
  • mcvsshld.exe
  • mpfalert.exe
  • mpfsrv.exe
  • ravmond.exe
  • ravtask.exe
  • redirsvc.exe
  • rsnetsvr.exe
  • rstray.exe
  • safeboxtray.exe
  • scanfrm.exe
  • superkiller.exe
  • zhudongfangyu.exe
    • Some of these processes may be associated with security software. Trojan:Win32/Lisiu.A may also stop the service for the following file in system folder:
  • KillIS.sys
    • Connects to a Web site Trojan:Win32/Lisiu.A connects to the following Web site:
  • b.vv29.com
    • It opens a specific ASP page from this site. It may also download and execute a file from this site. At the time of this writing, the file to be downloaded is not available.

    Analysis by Francis Allan Tan Seng

    Last update 28 April 2010

     

    TOP

    Malware :

    Family: