Home / malware Trojan:Win32/Lodbak
First posted on 29 June 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Lodbak.
Explanation :
Threat behavior
Installation
This family is usually installed on a removable drive by Worm:Win32/Gamarue. If you use an infected removable drive, the threat might then be installed on your PC.
The threat installs a shortcut file - detected as Trojan:Win32/Lodbak.A!lnk - as well as encrypted data onto you PC.
The threat is installed as a DLL file using a random file name in the following format:
- ~$< random>.bak
For example, we have seen it use the following random file names:
- ~$jemce.bak
- ~$mdqfshozrjgtjc.bak
- ~$odshpmzlsyzzsqqtzre.bak
- ~$omhaeudssbwizasttdiyftnzro.bak
- ~$pfrmgrpkcvafufkipckvvljeyitesjuavjffdcpp.bak
The encrypted data file name is IndexerVolumeGuid.
Payload
Runs other malware
This threat loads other malware. We have seen it loading variants from the Win32/Gamarue family of worms.
When the shortcut file runs, it loads the DLL file by using the rundll32.exe command.
For example, we have seen it run the following command:
- %SystemRoot% \rundll32.exe \~$mdqfshozrjgtjc.bak,nampcorlybeybehd
Once the DLL is loaded, it decrypts and runs the encrypted data IndexerVolumeGuid, which is then detected as Worm:Win32/Gamarue.
Analysis by Ric Robielos
Symptoms
Alerts from your security software might be the only symptom.
Last update 29 June 2015
