Home / malwarePDF  

VirTool:WinNT/Livuto.gen


First posted on 18 December 2012.
Source: Microsoft

Aliases :

VirTool:WinNT/Livuto.gen is also known as RKIT/StartPage.B.2 (Avira), TROJ_ROOTKIT.CQ (Trend Micro), Trojan.StartPage.1675 (Dr.Web), Trojan.Win32.Startpage (Ikarus), Trojan.Win32.StartPage.amd (Kaspersky), W32/Farfli.G (Norman), W32/Trojan.YIB (Command), Win32/Rootkit.Agent.NAU (ESET), Win-Trojan/StartPage.8352 (AhnLab).

Explanation :



Installation



VirTool:WinNT/Livuto.gen may be dropped and installed by TrojanDropper:Win32/Livuto.



Payload

Modifies Hosts file

VirTool:WinNT/Livuto.gen prevents access to certain security-related websites (such as those belonging to antivirus companies), including the following:

  • 360safe.com
  • arswp.com
  • bbs.360safe.com
  • dnl-eu1.kaspersky-labs.com
  • dnl-eu10.kaspersky-labs.com
  • dnl-eu2.kaspersky-labs.com
  • dnl-eu3.kaspersky-labs.com
  • dnl-eu4.kaspersky-labs.com
  • dnl-eu5.kaspersky-labs.com
  • dnl-eu6.kaspersky-labs.com
  • dnl-eu7.kaspersky-labs.com
  • dnl-eu8.kaspersky-labs.com
  • dnl-eu9.kaspersky-labs.com
  • dnl-us1.kaspersky-labs.com
  • dnl-us10.kaspersky-labs.com
  • dnl-us2.kaspersky-labs.com
  • dnl-us3.kaspersky-labs.com
  • dnl-us4.kaspersky-labs.com
  • dnl-us5.kaspersky-labs.com
  • dnl-us6.kaspersky-labs.com
  • dnl-us7.kaspersky-labs.com
  • dnl-us8.kaspersky-labs.com
  • dnl-us9.kaspersky-labs.com
  • download.rising.com.cn
  • forum.ikaka.com
  • ikaka.com
  • kvup.jiangmin.com
  • luosoft.com
  • mmsk.cn
  • pctutu.com
  • reg.rising.com.cn
  • safe.qq.com
  • scan.kingsoft.com
  • tommsoft.com
  • tool.ikaka.com
  • up.rising.com.cn
  • update.rising.com.cn
  • update7.jiangmin.com
  • www.360safe.com
  • www.arswp.com
  • www.ikaka.com
  • www.luosoft.com
  • www.mmsk.cn
  • www.pctutu.com
  • www.tommsoft.com
  • www.znmq.com
  • znmq.com
  • zs.kingsoft.com


The malware does this by modifying the Windows Hosts file to redirect your browser away from these sites to the IP address 127.0.0.1, which is the "local host". As a result, if you try to access any of these sites, you will be redirected back to your own computer and will see an error page in your web browser.

The Windows Hosts file allows you to specify if certain web addresses should redirect to other addresses. Malware often modifies the Hosts file to stop you from accessing websites associated with particular security-related applications (such as antivirus software).

Changes Internet Explorer start page

VirTool:WinNT/Livuto.gen sets Internet Explorer's start page to "hxxp://www.<removed>f.net/?b" by making the following modification to the registry:

In subkey: "HKCU\Software\Microsoft\Internet Explorer\Main"
Sets value: "Start Page"
With data: "hxxp://www.<removed>f.net/?b"

The tool hooks the API "ZwSetValueKey" to prevent you from resetting or making any changes to the Internet Explorer start page.



Analysis by Vincent Tiu

Last update 18 December 2012

 

TOP

Malware :

Family: