Troj/Lydra-AB is a Trojan for the Windows platform.
The Trojan has the functionalities to:
- steal information
- communicate with a remote server via email
Troj/Lydra-AB is a Trojan for the Windows platform.
The Trojan has the functionalities to:
- steal information
- communicate with a remote server via email
When Troj/Lydra-AB is installed the following files are created:
<Startup>\AdobeGammaLoader.scr
<Windows>\calc.exe
<Windows>\lsassv.exe
<Windows>\msrpc.exe
<Windows>\mui\rctfd.sys
<Windows>\regedit2.exe
<Windows>\winsys.exe
The Trojan renames the file <Windows>\regedit.exe to <Windows>\regedit2.exe and copies itself to <Windows>\regedit.exe.
The following registry entries are created to run lsassv.exe, msrpc.exe and winsys.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
winsys
<Windows>\winsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
msrpc
<Windows>\msrpc.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
lsassv
<Windows>\lsassv.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
winsys
<Windows>\winsys.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
winsys
<Windows>\winsys.exe
The file winsys.exe is registered as a new system driver service named "winsys", with a display name of "TCPIP route manager" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\winsys
The following registry entry is set, affecting internet security:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\
StandardProfile\AuthorizedApplications\List
<pathname of the Trojan executable>
<Current Folder>\<original filename>:*:Enabled:System Update
The following registry entry is also set:
HKCR\{65D5AFFB-D4EF-49AA-GFFG-5DA5E12E300A}\