Avira Virus Lab

TR/Rogue.5094104.1

  • Name
    TR/Rogue.5094104.1
  • Date discovered
    Oct 2, 2015
  • Type
    Malware
  • Impact
    Medium 
  • Reported Infections
    Low 
  • Operating System
    Windows
  • VDF version
    7.11.82.198 (2013-06-04 10:36)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term 'TR' denotes a trojan horse that is able to spy out data, violate your privacy, or perform unwanted modifications to the system.

  • VDF
    7.11.82.198 (2013-06-04 10:36)
  • Aliases
    Avast: Win32:Nitol-A
    AVG: DDoS.AC
    ClamAV: WIN.Trojan.Agent-15214
    Dr. Web: Trojan.KillProc.19743
    F-PROT: W32/Agent.OZ.gen!Eldorado (generic, not disinfectable)
    McAfee: Generic Dropper.agc
    Trend Micro: WORM_NITOL.SMB0
    Microsoft: DDoS:Win32/Nitol.A
    G Data: Trojan.Generic.5094104
    Kaspersky Lab: Trojan.Win32.Scar.eupa
    Bitdefender: Trojan.Generic.5094104
    ESET: Win32/ServStart.AD trojan
  • Files
    The following copies of itself are created:
    • %SYSDIR%\lchlci.exe
    The following files are deleted:
    • %SYSDIR%\hra33.dll
    The following files are created:
    • %SYSDIR%\hra33.dll
    • %DISKDRIVE%\RCX80.tmp
    • %DISKDRIVE%\67edd601553864307ce739a3c57414fe\lpk.dll
    • %DISKDRIVE%\Documents and Settings\All Users\Application Data\Adobe\Reader\9.2\ARM\lpk.dll
    • %TEMPDIR%\Microsoft .NET Framework 4 Setup_4.0.30319\lpk.dll
    • %TEMPDIR%\lpk.dll
    • %TEMPDIR%\{62198C42-974B-4F90-9AD2-12763AB58C97}~setup\lpk.dll
    • %temporary internet files%\Content.IE5\5KMEPSXE\lpk.dll
    • %temporary internet files%\Content.IE5\LV2JIAKP\lpk.dll
    • %temporary internet files%\Content.IE5\QH9ZEEV0\lpk.dll
    • %DISKDRIVE%\hips\lpk.dll
    • %DISKDRIVE%\incoming\lpk.dll
    • %DISKDRIVE%\lpk.dll
    • %PROGRAM FILES%\Adobe\Reader 9.0\Reader\lpk.dll
    • %PROGRAM FILES%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A92000000001}\lpk.dll
    • %PROGRAM FILES%\Common Files\Adobe\ARM\1.0\lpk.dll
    • %PROGRAM FILES%\Common Files\Adobe\Updater6\lpk.dll
    • %PROGRAM FILES%\Common Files\Java\Java Update\lpk.dll
    • %PROGRAM FILES%\Common Files\Microsoft Shared\DW\lpk.dll
    • %PROGRAM FILES%\Common Files\Microsoft Shared\MSInfo\lpk.dll
    • %PROGRAM FILES%\Common Files\Microsoft Shared\Speech\lpk.dll
    • %PROGRAM FILES%\FileZilla Server\lpk.dll
    • %PROGRAM FILES%\Internet Explorer\Connection Wizard\lpk.dll
    • %PROGRAM FILES%\Internet Explorer\lpk.dll
    • %PROGRAM FILES%\Java\jre6\bin\lpk.dll
    • %PROGRAM FILES%\Messenger\lpk.dll
    • %PROGRAM FILES%\Movie Maker\lpk.dll
    • %PROGRAM FILES%\Mozilla Firefox\lpk.dll
    • %PROGRAM FILES%\Mozilla Firefox\uninstall\lpk.dll
    • %PROGRAM FILES%\MSN\MSNCoreFiles\Install\MSN9Components\lpk.dll
    • %PROGRAM FILES%\MSN\MSNCoreFiles\Install\lpk.dll
    • %PROGRAM FILES%\MSN Gaming Zone\Windows\lpk.dll
    • %PROGRAM FILES%\NetMeeting\lpk.dll
    • %PROGRAM FILES%\Outlook Express\lpk.dll
    • %PROGRAM FILES%\VMware\VMware Tools\lpk.dll
    • %PROGRAM FILES%\Windows Media Player\lpk.dll
    • %PROGRAM FILES%\Windows NT\Accessories\lpk.dll
    • %PROGRAM FILES%\Windows NT\lpk.dll
    • %PROGRAM FILES%\Windows NT\Pinball\lpk.dll
    • %PROGRAM FILES%\WinPcap\lpk.dll
    • %DISKDRIVE%\totalcmd\lpk.dll
    • %WINDIR%\assembly\GAC_MSIL\PresentationFontCache\3.0.0.0__31bf3856ad364e35\lpk.dll
    The following files are renamed:
    • %DISKDRIVE%\RCX80.tmp
    The following files are changed:
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    • %DISKDRIVE%\Documents and Settings\LocalService\Cookies\index.dat
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
  • Registry
    The following registry entries are added:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalybm ("Type": dword:00000010; "Start": dword:00000002; "ErrorControl": dword:00000000; "ImagePath": "%SYSDIR%\lchlci.exe"; "DisplayName": "Nationalmsr Instruments Domain Service"; "ObjectName": "LocalSystem")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalybm\Security ("Security": %hex values%)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALYBM ("NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALYBM\0000 ("Service": "Nationalybm"; "Legacy": dword:00000001; "ConfigFlags": dword:00000000; "Class": "LegacyDriver"; "ClassGUID": "{8ECC055D-047F-11D1-A537-0000F8753ED1}"; "DeviceDesc": "Nationalmsr Instruments Domain Service")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NATIONALYBM\0000\Control ("*NewlyCreated*": dword:00000000; "ActiveService": "Nationalybm")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalybm\Enum ("0": "Root\LEGACY_NATIONALYBM\0000"; "Count": dword:00000001; "NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent (@: dword:00000011)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nationalybm ("Description": "Providescxe a domain server for NI security.")
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ("SavedLegacySettings": %hex values%)
    • HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings ("ProxyEnable": dword:00000000)
    The following registry entries are changed:
    • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ("UNCAsIntranet": dword:00000001)

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to support.avira.com

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.