Trojan.Win32.Lunam.a

by alexander.adamov on May 18th, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Language: Visual Basic

Summary

Trojan.Win32.Lunam.a is a Trojan program which contains the Autorun-worm functionality.

Technical Details

Installation

The Trojan copies its executable file as follows:

%Temp%\avscan.exe
%WinDir%\hosts.exe

Creation date and time is written to the end of the file of each Trojan copy, for example: «5/7/2012 7:30:22 AM». The time the Trojan most recently copied itself is deleted, the date is left unchanged. The end of a Trojan is presented on the picture below:

The Trojan creates the following registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"avscan" = "%Temp%\avscan.exe"

As a result, the file is automatically run when Windows is booted.

The Trojan then launches its copies, its original file and finishes its work.

Payload

Once launched, the Trojan creates the following files:

%WinDir%\W_X_C.bat
%WinDir%\W_X_C.vbs

It creates the registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"%ComputerName%" = "W_X_C.bat"

where %ComputerName% is an infected computer name.

W_X_C.bat checks if the %WinDir%\hosts.exe file is available. If it is available, the %WinDir%\hosts.exe and %WinDir%\W_X_C.vbs files are launched. Otherwise, the explorer.exe process is ended and the system is forcibly rebooted, closing all running applications. The following message appears:

The W_X_C.vbs file creates a registry key if it was not created yet:

[HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"%ComputerName%" = "W_X_C.bat"

where %ComputerName% is an infected computer name.

The Trojan modifies values for the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
"SuperHidden" = "0"
"ShowSuperHidden" = "0"

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt]
"DefaultValue" = "1"
"UncheckedValue" = "1"

As a result, files with a «Hidden» attribute and file extensions are not displayed.

To disable booting the victim machine in safe mode, the Trojan removes the following branch of the system registry:

[HKLM\System\ControlSet001\Control\SafeBoot]

The Trojan searches local drives for files with the following extensions:

MP3 JPG BMP DOC XLS RAR ZIP SIS JAR 3GP RM WMV MPEG MPG AVI PNG

The Trojan writes its body to the beginning of all files it has found.

Autorun

The Trojan possesses features which allow spreading via portable computer media.

Once a portable device is detected, the Trojan creates two copies of its executable file in the drive root directory:

usb.exe
Rahasia_Ku.exe

In addition, the Trojan copies the following file to the root directory of the external drives:

Autorun.inf

This file launches usb.exe when opening a root folder on the external drive with the Windows Explorer.

Removal Recommendations

  1. Using Task Manager (How to End a Process with the Task Manager) terminate the Trojan processes:
  2. avscan.exe
    hosts.exe

  3. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  4. Delete files:
  5. %WinDir%\W_X_C.bat
    %WinDir%\W_X_C.vbs
    %Temp%\avscan.exe
    %WinDir%\hosts.exe

  6. Delete files from the parent folder of all removable disks:
  7. usb.exe
    Rahasia_Ku.exe
    Autorun.inf

  8. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).