Python/Liberpy [Threat Name] go to Threat
Python/Liberpy.A [Threat Variant Name]
| Category | worm |
| Size | 6726471 B |
| Detection created | Apr 14, 2015 |
| Detection database version | 11473 |
| Aliases | Trojan.Seadask (Symantec) |
Short description
Python/Liberpy.A is a worm that spreads via removable media.
Installation
When executed, the worm copies itself into the following location:
- %systemdrive%\MSDcache\Liberty2-0.exe
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Liberty1-0.exe" = "%systemdrive%\MSDcache\Liberty2-0.exe"
Spreading on removable media
The worm copies itself to the following location:
- %removabledrive%\MSDcache\Liberty2-0.exe
The following file is created in the same folders:
- Liberty1-0.bat" (74 B, Python/Liberpy.A worm)
The worm searches for files and folders in the root folders of removable drives.
When the worm finds a file matching the search criteria, it creates a new file.
The file name of the newly created file is derived from the original file/folder name.
The extension of the file is ".lnk" .
The file is a shortcut to a malicious file.
Information stealing
The worm is able to log keystrokes.
The worm collects the following information:
- data from the clipboard
The collected information is stored in the following file:
- %systemdrive%\MSDcache\system\system.dll
The worm attempts to send gathered information to a remote machine.
Other information
The worm acquires data and commands from a remote computer or the Internet.
The worm contains a URL address. The HTTP protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- update itself to a newer version
- send gathered information