MSIL/Lardosy [Threat Name] go to Threat

MSIL/Lardosy.A [Threat Variant Name]

Category worm
Size 339456 B
Detection created Dec 15, 2015
Detection database version 12726
Aliases Trojan-Dropper.Win32.Sysn.bhxs (Kaspersky)
  Trojan:Win32/Dynamer!ac (Microsoft)
Short description

MSIL/Lardosy.A is a worm that spreads via removable media. The worm sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

Installation

When executed, the worm copies itself into the following location:

  • C:\­Users\­%username%\­Dosyalarim.exe

In order to be executed on system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft.Net" = "C:\­Users\­%username%\­Dosyalarim.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_BROWSER_EMULATION]
    • "%malwarefilename%" = %variable%
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_AJAX_CONNECTIONS]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_DOM_STORAGE]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_GPU_RENDERING]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI]
    • "%malwarefilename%" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_DISABLE_LEGACY_COMPRESSION]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_LOCALMACHINE_LOCKDOWN]
    • "%malwarefilename%" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_BLOCK_LMZ_OBJECT]
    • "%malwarefilename%" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_BLOCK_LMZ_SCRIPT]
    • "%malwarefilename%" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_DISABLE_NAVIGATION_SCRIPT]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_SCRIPTURL_MITIGATION]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_SPELLCHECKING]
    • "%malwarefilename%" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_STATUS_BAR_THROTTLING]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_TABBED_BROWSING]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_VALIDATE_NAVIGATE_URL]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_WEBOC_DOCUMENT_ZOOM]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_WEBOC_POPUPMANAGEMENT]
    • "%malwarefilename%" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_WEBOC_MOVESIZECHILD]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_ADDON_MANAGEMENT]
    • "%malwarefilename%" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_WEBSOCKET]
    • "%malwarefilename%" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_WINDOW_RESTRICTIONS]
    • "%malwarefilename%" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main\­FEATURE_XMLHTTP]
    • "%malwarefilename%" = 1

A variable numerical value is used instead of %variable% .

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • Dosyalarim.exe
Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of (3) URLs. The HTTP protocol is used in the communication.


The worm sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.


Worm requires the Microsoft .NET Framework to run.

Please enable Javascript to ensure correct displaying of this content and refresh this page.