Need help? Ask the community or hire an expert.
Go to Avira Answers
Date discovered:20/07/2010
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:Low to medium
Damage Potential:Low to medium
Static file:Yes
File size:45.056 Bytes
MD5 checksum:1603c133acc9893577a6bed38228feff
IVDF version:

 General Method of propagation:
   • Autorun feature

   •  Sophos: Mal/VB-M
   •  Bitdefender: Trojan.Generic.4496070
   •  Panda: W32/Autorun.KAD

Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads a malicious file
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following location:
   • %drive%\lsasss.exe

The following file is created:

%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%

It tries to download a file:

– The locations are the following:
   • http://59c268b3.lin**********.com
   • http://2085c5cc.lin**********.com
   • http://ba40ed9e.lin**********.com
   • http://5b51ba7f.lin**********.com
   • http://abd6ec9d.lin**********.com
   • http://e6230199.lin**********.com
   • http://d16fd297.lin**********.com
   • http://3cbc32f4.lin**********.com
   • http://08b18380.lin**********.com
   • http://532dfab3.lin**********.com

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "lsasss"="c:\lsasss.exe"

The following registry key is changed:

– [HKCU\Software\Microsoft\Internet Explorer\Toolbar]
   New value:
   • "Locked"=dword:0x00000001

 File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, November 11, 2010
Description updated by Petre Galan on Thursday, November 11, 2010

Back . . . .