(Trojan.Win32.VB.aia, Trojan.Luall, Trj/Neddis.A, Troj/Alllu-A, TR/Agent.85823, Win32:Trojano-3489)
Symptoms
- Constant disk activity
- The presence of .exe files with a folder icon for each MPG, AVI, JPG and MP3 file (for example if there is a stuff.avi file, there exists also a stuff.avi.exe file)
- The presence of the HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\LA\run registry key
Removal instructions:
Please let BitDefender delete the infected files.
Analyzed By
Boeriu Laura, virus researcher
Technical Description:
This Trojan is written in Visual Basic and has an approximate size of 45 kilobytes. When run it searches the hard disk for files with the following extensions:
If a file with any of these extensions is found, the malware creates a copy of itself in the folder where the file has been found appending .exe to the filename. For example if the file is located in C:\example\picture.jpg, the malware will create a copy of itself as C:\example\picture.jpg.exe.
When run, the Trojan will create a hidden folder derived from the name of the executable (by appending an “l”) and open it in explorer. For example, if the user runs the malware located at C:\example\picture.jpg.exe, it will create the folder C:\example\picturel. After creation, the folder will be opened in explorer, giving the impression that the user double-clicked on a folder rather than an executable. The malware has also an icon similar to the folder icon used by the Windows Explorer (a social engineering trick frequently used by malware).
The malware marks the fact that it was run by creating a value named “1” set to “T” in the registry key “HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\LA\run”.
The malware searches for components of Symantec's Norton Antivirus and tries to disable them by overwriting the executables. Specifically it searchers for:
- C:\Program Files\Symanted\LiveUpdate\LUALL.EXE
- dats.exe
SHARE
THIS ON