Troj/Lazar-A

Aliases	Trojan.Win32.Lazar.a BackDoor-CEP Trojan.Lazar
Category	Viruses and Spyware
Type	Trojan
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	3 November 2005 10:53:29 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Troj/Lazar-A is a backdoor Trojan for the Windows platform.

When first run Troj/Lazar-A copies itself to:

<Program Files>\APC_Power\Pwrchute.exe
<Common Files>\clockwise.exe
<Program Files>\US Robotics\3capplnk.exe
<System>\dit.exe
<System>\usb2chk.exe

These files have their file attributes set to hidden.

The following registry entries are created to run Pwrchute.exe, clockwise.exe, dit.exe and usb2chk.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
miniport
<System>\usb2chk.exe /start

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
wise
<Common Files>\clockwise.exe -boot

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Dit
<System>\dit.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
PowerChute
<Program Files>\APC_Power\Pwrchute.exe -boot_time

Troj/Lazar-A also creates the section [(Torrent1-rack-r110-1000-101101111111)] and makes the following entry into <Windows>\win.ini:

lastday=20051031
dayview=1
daynumber=303

Troj/Lazar-A includes functionality to:

- silently setup a FTP connection to a remote server
- download code

Get reports about the latest virus and spyware threats delivered to your computer