Home / malware Trojan:Win32/Lodbak.A
First posted on 23 May 2019.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Lodbak.A.
Explanation :
Installation
This threat is usually installed on a removable drive by Worm:Win32/Gamarue. If you use an infected removable drive, the threat might then be installed on your PC.
The threat installs a shortcut file - detected as Trojan:Win32/Lodbak.A!lnk - as well as encrypted data onto you PC.
The threat is installed as a DLL file using a random file name in the following format:
~$< random>.bak
For example, we have seen it use the following random file names:
~$jemce.bak ~$mdqfshozrjgtjc.bak ~$odshpmzlsyzzsqqtzre.bak ~$omhaeudssbwizasttdiyftnzro.bak ~$pfrmgrpkcvafufkipckvvljeyitesjuavjffdcpp.bak
The encrypted data file name is IndexerVolumeGuid.
Payload
Runs other malware
This threat loads other malware. We have seen it loading variants from the Win32/Gamarue family of worms.
When the shortcut file runs, it loads the DLL file by using the rundll32.exe command.
For example, we have seen it run the following command:
%SystemRoot%
undll32.exe ~$mdqfshozrjgtjc.bak,nampcorlybeybehd
Once the DLL is loaded, it decrypts and runs the encrypted data IndexerVolumeGuid, which is then detected as Worm:Win32/Gamarue.
Analysis by Ric RobielosLast update 23 May 2019
