Win32/Lyposit [Threat Name] go to Threat

Win32/Lyposit.A [Threat Variant Name]

Category trojan
Size 55808 B
Detection created Dec 28, 2012
Detection database version 7841
Aliases Trojan:Win32/Lyposit.B (Microsoft)
Short description

Win32/Lyposit.A is a trojan that blocks access to the Windows operating system. The file is run-time compressed using UPX .

Installation

When executed the trojan copies itself in the following locations:

  • %commonappdata%\­_bd_uylzs.exe
  • %localappdata%\­_bd_uylzs.exe

The trojan may create copies of itself using the following filenames:

  • %appdata%\­_bd_uylzs.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "%originalvalue% %commonappdata%\­_bd_uylzs.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "uhhcskwy" = "%commonappdata%\­_bd_uylzs.exe"

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Command Processor]
    • "AutoRun" = "%localappdata%\­_bd_uylzs.exe"
Other information

Win32/Lyposit.A is a trojan that blocks access to the Windows operating system.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs. The HTTP protocol is used.


To regain access to the operating system the user is requested to comply with given conditions in exchange for a password/instructions.


The trojan then removes itself from the computer.


The trojan tries to download and execute several files from the Internet.


The trojan may set the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Pool]

Please enable Javascript to ensure correct displaying of this content and refresh this page.