Home / malware TrojanDownloader:Win32/Leodon.D
First posted on 12 March 2019.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Leodon.D is also known as Suspect-AC!2E1BB0AB1F7E, Mal_Otorun9, Worm.Win32.AutoRun.bjqg, Troj/PWS-BJM.
Explanation :
TrojanDownloader:Win32/Leodon.D is a trojan that silently downloads and installs other programs without consent. This could include the installation of additional malware or malware components to an affected computer. Installation TrojanDownloader:Win32/Leodon.D creates the following files on an affected computer:
%programfiles%common filessystemexplorer.exe - detected as Trojan:Win32/Comame c:cbnw.exe - detected as Trojan:Win32/Comame c:cppc.bat c:documents and settingsall usersstart menuprogramsstartupwinlogs.lnk c:
ecyclerwinlogon.exe - detected as Trojan:Win32/Comame
The malware creates files on an affected computer using variable file names, for example:
%programfiles%common filesfqernk.dllc:hrswtg.bmpc:kevtyd.jpgc:osvjmj.txtc:uuyvwv.gif Spreads via… Removable drives TrojanDownloader:Win32/Leodon.D may create the following files on targeted drives when spreading:
:subst.exe - detected as Trojan:Win32/Comame.
It also places an autorun.inf file in the root directory of the targeted drive. Such autorun.inf files contain execution instructions for the operating system, so that when the removable drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
Note: This worm was observed to write an executable and create an autorun.inf file on a targeted drive in our automated testing environment. This is particularly common malware behavior, generally utilized in order to spread malware from computer to computer. It should also be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs. Payload Modifies system settings TrojanDownloader:Win32/Leodon.D modifies the affected computer system's settings by making the following changes to the registry:
The malware stops the display of files that have 'system' and 'hidden' attributes by making the following registry modification:
Adds value: "ShowSuperHidden"
With data: "0"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerAdvanced
Modifies browser settings The malware modifies the affected computer's browser settings by making the following changes to the registry:
The malware locks the Internet Explorer toolbar by making the following registry modification:
Adds value: "Locked"
With data: "1"
To subkey: HKCUSoftwareMicrosoftInternet ExplorerToolbar
Contacts remote host The malware may contact a remote host at lovechina.9860.net using port 80. Commonly, malware may contact a remote host for the following purposes: To report a new infection to its author To receive configuration or other data To download and execute arbitrary files (including updates or additional malware) To receive instruction from a remote attacker To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 0502c54f203c5f43c07caf90817d67b1523b3699.Last update 12 March 2019
