Trojan.Lopad.K

SYMPTOMS:

Multiple instances of "Internet Explorer" browser in memory.

Strangely named directories in %appdata% folder containing lots of malware as ".exe" files.

TECHNICAL DESCRIPTION:

The exact path to "Internet Explorer" browser is retrieved from registry.

A check is made to see if the virus code is executing from within iexplorer's address space. If it is not then a new instance of iexplore.exe is infected with the viral code and executed.

The malware action consists in downloading other malware from a randomly constructed URL of the form  http://[random].bins.lop.com/[removed]. The files to be downloaded have the ".int" extension and are saved in the %tmp% folder and then copied renamed as executables, with random words taken from an internal dictionary, in %appdata% folder from were are eventually executed.

 If the code injection fails then the virus runs by itself and :

• If the command line arguments does not include the string "923CCB1F" then a message box with title "Bad Elmo" and text "You must install this software as part of the parent program. Press OK to exit." appears before exiting.
• If the command line argument "-newkEm" is present then it searches for a window of class "wwBYAwnd" and name "windWWAA" and sends it a message with id 0x533 then exits. If the window cannot be found then the dictionary is used to create a random file name, like "cdromruleclose.exe", in "%app_data%/" which is executed if found. The virus then exits, but not before retrying to send the previous message, to the same window.
• If the command line argument "SWIcertifiedEd 1" is present then the file "%tmp%\bis[random number].tmp" is looked for and removed and the virus executes as if it were infected.

 The virus uses encrypted strings to make the analysis difficult.

 The use of command line arguments is meant to prevent heuristical detection.

Removal instructions:

ANALYZED BY: