Home / malwarePDF  

TrojanDropper:Win32/Lisiu.A


First posted on 07 April 2010.
Source: SecurityHome

Aliases :

TrojanDropper:Win32/Lisiu.A is also known as W32/TrojanX.CXAB (Authentium (Command)), Trojan.Win32.KillAV.fen (Kaspersky), Trojan.AVKill.1603 (Dr.Web), Win32/KillAV.NHH (ESET), TROJ_LISIU.SML (Trend Micro).

Explanation :

TrojanDropper:Win32/Lisiu.A is the detection for a malware that bundles and installs QVOD media player with other malware in the computer.
Top

TrojanDropper:Win32/Lisiu.A is the detection for a malware that bundles and installs QVOD media player with other malware in the computer. Installation Upon execution, TrojanDropper:Win32/Lisiu.A drops a QVOD media player installer executable as the following:

  • c:\qvodsetupplus3.exe - installer for QVOD media player
    • The trojan dropper also creates the following file, also detected as TrojanDropper:Win32/Lisiu.A:
  • %SystemDrive%\111.exe
    • It then launches the dropped files. The file "111.exe drops the following files in the Windows system folder, both of which are also detected as Trojan:Win32/Lisiu.A:
  • <system folder>\mswsock32.dll
  • <system folder>\imedllhost09.ime
    • Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32. TrojanDropper:Win32/Lisiu.A drops the following batch script file: <system folder>\del09.bat €“ used to delete the file "%SystemDrive%\111.exe". TrojanDropper:Win32/Lisiu.A may also create or modify, if they exist, the following registry entries, in effect installing its dropped components: Set value: "Ime File" With data: "imedllhost09.ime" To subkey: HKLM\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804 Set value: "2" With data: "e0200804" To subkey: HKCU\Keyboard Layout\Preload Set value: "1001" With data: "<system folder>\mswsock.dll" To subkey: HKLM\SYSTEM\Setup\AllowStart\SPI_Pause Payload Modifies firewall settings TrojanDropper:Win32/Lisiu.A modifies the following registry entry to allow the QVOD media player to bypass the Windows firewall and potentially download updates of the software: Set value: "%SystemDrive%\QvodSetupPlus3.exe" With data: "%SystemDrive%\qvodsetupplus3.exe:*:enabled:qvod" To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Modifies registry entries TrojanDropper:Win32/Lisiu.A may modify the following registry entries: Adds value: "PackedCatalogItem" With data: "c\idw\ytm2mwok2dl8c33-9f4753f53ea5}" In subkeys: HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016 HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017 Additional InformationQVOD media player is not in itself malicious; however it has been included in samples of TrojanDropper:Win32/Lisiu.A. The media player connects to a remote server by opening various ports, such as the following:
  • UDP port 21775
  • UDP port 22262
  • TCP port 8090
  • UDP port 8090
    • TrojanDropper:Win32/Lisiu.A also attempts to connect to various hosts to download other files associated with QVOD media player. In the wild, this trojan has been observed to connect to the following hosts:
  • agent.qvod.com
  • stun.qvod.com
  • stun01.sipphone.com
  • track.qvod.com
  • update.qvod.com
    • Analysis by Wei Li

    Last update 07 April 2010

     

    TOP

    Malware :

    Family: