Win32/Laziok [Threat Name] go to Threat
Win32/Laziok.A [Threat Variant Name]
| Category | trojan |
| Size | 116224 B |
| Aliases | Trojan.Win32.Fsysna.bhij (Kaspersky) |
| Trojan:Win32/Dynamer!ac (Microsoft) |
Short description
The trojan serves as a backdoor. It can be controlled remotely. The file is run-time compressed using Agile.NET, UPX .
Installation
When executed, the trojan copies itself in some of the the following locations:
- %windir%\explorer\smss.exe
- %appdata%\System\Oracle\smss.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "Windows" = "%windir%\explorer\smss.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Windows" = "%appdata%\System\Oracle\smss.exe"
The trojan creates the following file:
- %appdata%\System\Oracle\azioklmpx\hzid\hzid.txt
The trojan quits immediately if it detects a window containing one of the following strings in its title:
- wireshark
- Fiddler
The trojan quits immediately if any of the following folders/files is detected:
- C:\Program Files\VMware\VMware Tools\
- C:\Program Files (x86)\VMware\VMware Tools\
- C:\Windows\system32\VBoxTray.exe\
Information stealing
The trojan collects the following information:
- operating system version
- malware version
- installed antivirus software
- amount of operating memory
- CPU information
- video controller type
- computer name
- computer IP address
- country
The trojan attempts to send gathered information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (2) URLs. The HTTP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- terminate running processes
- send gathered information
- update itself to a newer version
The trojan may alter the contents of the clipboard.