Trojan.Win32.Lunam.a
Platform: Win32
Type: Trojan
Language: Visual Basic
Summary
Trojan.Win32.Lunam.a is a Trojan program which contains the Autorun-worm functionality.
Technical Details
Installation
The Trojan copies its executable file as follows:
%Temp%\avscan.exe
%WinDir%\hosts.exe
Creation date and time is written to the end of the file of each Trojan copy, for example: «5/7/2012 7:30:22 AM». The time the Trojan most recently copied itself is deleted, the date is left unchanged. The end of a Trojan is presented on the picture below:
The Trojan creates the following registry keys:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"avscan" = "%Temp%\avscan.exe"
As a result, the file is automatically run when Windows is booted.
The Trojan then launches its copies, its original file and finishes its work.
Payload
Once launched, the Trojan creates the following files:
%WinDir%\W_X_C.bat
%WinDir%\W_X_C.vbs
It creates the registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"%ComputerName%" = "W_X_C.bat"
where %ComputerName% is an infected computer name.
W_X_C.bat checks if the %WinDir%\hosts.exe file is available. If it is available, the %WinDir%\hosts.exe and %WinDir%\W_X_C.vbs files are launched. Otherwise, the explorer.exe process is ended and the system is forcibly rebooted, closing all running applications. The following message appears:
The W_X_C.vbs file creates a registry key if it was not created yet:
[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"%ComputerName%" = "W_X_C.bat"
where %ComputerName% is an infected computer name.
The Trojan modifies values for the following registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"
"ShowSuperHidden" = "0"
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"DefaultValue" = "1"
"UncheckedValue" = "1"
As a result, files with a «Hidden» attribute and file extensions are not displayed.
To disable booting the victim machine in safe mode, the Trojan removes the following branch of the system registry:
[HKLM\System\ControlSet001\Control\SafeBoot]
The Trojan searches local drives for files with the following extensions:
MP3 JPG BMP DOC XLS RAR ZIP SIS JAR 3GP RM WMV MPEG MPG AVI PNG
The Trojan writes its body to the beginning of all files it has found.
Autorun
The Trojan possesses features which allow spreading via portable computer media.
Once a portable device is detected, the Trojan creates two copies of its executable file in the drive root directory:
usb.exe
Rahasia_Ku.exe
In addition, the Trojan copies the following file to the root directory of the external drives:
Autorun.inf
This file launches usb.exe when opening a root folder on the external drive with the Windows Explorer.
Removal Recommendations
- Using Task Manager (How to End a Process with the Task Manager) terminate the Trojan processes:
- Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
- Delete files:
- Delete files from the parent folder of all removable disks:
- Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).
avscan.exe
hosts.exe
%WinDir%\W_X_C.bat
%WinDir%\W_X_C.vbs
%Temp%\avscan.exe
%WinDir%\hosts.exe
usb.exe
Rahasia_Ku.exe
Autorun.inf
