Win32/Lyzapo [Threat Name] go to Threat

Win32/Lyzapo.A [Threat Variant Name]

Category trojan
Size 374651 B
Detection created Jul 15, 2009
Detection database version 4246
Aliases Trojan-Dropper.Win32.Agent.avml (Kaspersky)
  W32.Dozer (Symantec)
  Trojan.Dozer (Dr.Web)
Short description

Win32/Lyzapo.A is a trojan that installs Win32/Mydoom.CN malware. The trojan is being spammed by e-mail.

Installation

When executed, the trojan creates the following files:

  • %system%\­wmiconf.dll (67072 B)
  • %system%\­wpcap.dll (240248 B)
  • %system%\­packet.dll (88696 B)
  • %system%\­WanPacket.dll (68224 B)
  • %system%\­drivers\­npf.sys (34064 B)
  • %system%\­npptools.dll (54784 B)
  • %system%\­wmcfg.exe (88064 B, Win32/Mydoom.CN)
  • %system%\­%random%.nls

The %random% represents a random number.


The trojan registers itself as a system service using the following name:

  • WmiConfig

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SvcHost]
    • "wmiconf" = "WmiConfig"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WmiConfig\­Parameters]
    • "ServiceDll" = "%system%\­wmiconf.dll"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­WmiConfig]
    • "Type" = 288
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%system%\­svchost.exe -k wmiconf"
    • "DisplayName" = "WMI Performance Configuration"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Configures and manages performance library information from WMI HiPerf providers."
Other information

The trojan creates the following files:

  • %windir%\­temp\­_S%variable%.tmp

A string with variable content is used instead of %variable% .


The following services are disabled:

  • netlmgr
  • NtmpSvc
  • SSDPUPD
  • sysvmd

The trojan may perform DDoS (Distributed Denial of Service) attacks.

Please enable Javascript to ensure correct displaying of this content and refresh this page.