Home / malware Trojan:Win32/Micrass.A
First posted on 13 March 2015.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Micrass.A.
Explanation :
Threat behavior
Installation
This threat can be installed by TrojanDropper:Win32/Micrass.A.
It creates the following file:
- %TEMP%\lsmass.exe
It changes the following registry entry so that it runs each time you start your PC:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "LSMASS"
With data: "", for example "%TEMP%\lsmass.exe"
Payload
Downloads malware
This threat can download updates and other malware onto your PC.
We have seen this threat create the file load.dat in the malware folder location, for example, %TEMP%\load.dat.
It renames the file with a random executable file name and runs it, for example %TEMP%\0C88.exe.
The malware also tries to connect to a remote host to upload information about your PC, including your:
- PC name
- IP address
- Available ports
We have seen it try to connect to 96..0.178 using HTTP POST.
Additional information
This threat creates the mutex Microsoft. This can be an infection marker to prevent more than one copy of the threat running on your PC.
Analysis by Jonathan San Jose
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%TEMP%\lsmass.exe- You see these entries or keys in your registry:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "LSMASS"
With data: "", for example "%TEMP%\lsmass.exe" Last update 13 March 2015
