Win32/Lazar [Threat Name] go to Threat

Win32/Lazar.A [Threat Variant Name]

Category trojan
Size 21504 B
Detection created Aug 01, 2005
Detection database version 1185
Aliases Trojan.Win32.Lazar.a (Kaspersky)
  Trojan:Win32/Lazar.A (Microsoft)
  Trojan.Lazar (Symantec)
Short description

Win32/Lazar.A is a trojan which tries to download other malware from the Internet. The file is run-time compressed using UPX .

Installation

When executed the trojan copies itself in the following locations:

  • %system%\­Indexindicator.exe
  • %system%\­SuiteOffices.exe
  • %system%\­Recalculate.exe
  • %programfiles%\­ServicePackFiles\­MEMreaload.exe
  • %programfiles%\­ServicePackFiles\­reload.exe

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.


In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Indexindicator" = "%system%\­Indexindicator.exe /check"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Suite" = "%system%\­SuiteOffices.exe /cleandb"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Diesel" = "%system%\­Recalculate.exe /reloadenterpice"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MEMreaload" = "%programfiles%\­ServicePackFiles\­MEMreaload.exe /checkmouse /updateratio"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Reload" = "%programfiles%\­ServicePackFiles\­reload.exe /reloadenterpice"
Other information

The trojan contains a list of (8) URLs. It tries to download several files from the addresses.


The files are then executed. The HTTP protocol is used.

Please enable Javascript to ensure correct displaying of this content and refresh this page.