Home / malware VirTool:WinNT/Livuto.gen
First posted on 18 December 2012.
Source: MicrosoftAliases :
VirTool:WinNT/Livuto.gen is also known as RKIT/StartPage.B.2 (Avira), TROJ_ROOTKIT.CQ (Trend Micro), Trojan.StartPage.1675 (Dr.Web), Trojan.Win32.Startpage (Ikarus), Trojan.Win32.StartPage.amd (Kaspersky), W32/Farfli.G (Norman), W32/Trojan.YIB (Command), Win32/Rootkit.Agent.NAU (ESET), Win-Trojan/StartPage.8352 (AhnLab).
Explanation :
Installation
VirTool:WinNT/Livuto.gen may be dropped and installed by TrojanDropper:Win32/Livuto.
Payload
Modifies Hosts file
VirTool:WinNT/Livuto.gen prevents access to certain security-related websites (such as those belonging to antivirus companies), including the following:
- 360safe.com
- arswp.com
- bbs.360safe.com
- dnl-eu1.kaspersky-labs.com
- dnl-eu10.kaspersky-labs.com
- dnl-eu2.kaspersky-labs.com
- dnl-eu3.kaspersky-labs.com
- dnl-eu4.kaspersky-labs.com
- dnl-eu5.kaspersky-labs.com
- dnl-eu6.kaspersky-labs.com
- dnl-eu7.kaspersky-labs.com
- dnl-eu8.kaspersky-labs.com
- dnl-eu9.kaspersky-labs.com
- dnl-us1.kaspersky-labs.com
- dnl-us10.kaspersky-labs.com
- dnl-us2.kaspersky-labs.com
- dnl-us3.kaspersky-labs.com
- dnl-us4.kaspersky-labs.com
- dnl-us5.kaspersky-labs.com
- dnl-us6.kaspersky-labs.com
- dnl-us7.kaspersky-labs.com
- dnl-us8.kaspersky-labs.com
- dnl-us9.kaspersky-labs.com
- download.rising.com.cn
- forum.ikaka.com
- ikaka.com
- kvup.jiangmin.com
- luosoft.com
- mmsk.cn
- pctutu.com
- reg.rising.com.cn
- safe.qq.com
- scan.kingsoft.com
- tommsoft.com
- tool.ikaka.com
- up.rising.com.cn
- update.rising.com.cn
- update7.jiangmin.com
- www.360safe.com
- www.arswp.com
- www.ikaka.com
- www.luosoft.com
- www.mmsk.cn
- www.pctutu.com
- www.tommsoft.com
- www.znmq.com
- znmq.com
- zs.kingsoft.com
The malware does this by modifying the Windows Hosts file to redirect your browser away from these sites to the IP address 127.0.0.1, which is the "local host". As a result, if you try to access any of these sites, you will be redirected back to your own computer and will see an error page in your web browser.
The Windows Hosts file allows you to specify if certain web addresses should redirect to other addresses. Malware often modifies the Hosts file to stop you from accessing websites associated with particular security-related applications (such as antivirus software).
Changes Internet Explorer start page
VirTool:WinNT/Livuto.gen sets Internet Explorer's start page to "hxxp://www.<removed>f.net/?b" by making the following modification to the registry:
In subkey: "HKCU\Software\Microsoft\Internet Explorer\Main"
Sets value: "Start Page"
With data: "hxxp://www.<removed>f.net/?b"
The tool hooks the API "ZwSetValueKey" to prevent you from resetting or making any changes to the Internet Explorer start page.
Analysis by Vincent Tiu
Last update 18 December 2012