TSPY_LLAC.SM
Kaspersky: Trojan.Win32.Llac.has
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
303,616 bytes
EXE
Yes
04 Mar 2011
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This spyware drops the following component file(s):
- %User Temp%\{OS version}7
- %User Temp%\{OS version}8
- %User Profile%\Application Data\winxplog.dat
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It drops the following copies of itself into the affected system:
- %System Root%\directory\CyberGate\install\server.exe
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It creates the following folders:
- %System Root%\directory
- %System Root%\directory\CyberGate
- %System Root%\directory\CyberGate\install
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)
It terminates the execution of the copy it initially executed and executes the copy it drops instead.
Autostart Technique
This spyware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
Explorer\Run
Policies = %SystemRoot%\directory\CyberGate\install\server.exe
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer\Run
Policies = %SystemRoot%\directory\CyberGate\install\server.exe
Other System Modifications
This spyware adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{R4EI0PTD-T664-2FH3-83N0-64B8876VL1R2}
StubPath = "%System Root%\directory\CyberGate\install\server.exe Restart"
HKEY_CURRENT_USER\Software\remote
FirstExecution = "{date and time of malware execution"
HKEY_CURRENT_USER\Software\remote
NewGroup = ""
HKEY_CURRENT_USER\Software\remote
NewIdentification = "remote"
It adds the following registry keys as part of its installation routine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Active Setup\Installed Components\{R4EI0PTD-T664-2FH3-83N0-64B8876VL1R2}
HKEY_CURRENT_USER\Software\remote