SecurityHome.eu Trojan:Win32/Lodbak.A!lnk

Home / malware PDF

Trojan:Win32/Lodbak.A!lnk

First posted on 26 February 2019.
Source: Microsoft
Aliases :
There are no other names known for Trojan:Win32/Lodbak.A!lnk.
Explanation :
Installation

This threat is installed by Trojan:Win32/Lodbak.A.

It uses a random file name in the following format:

~$< random>().lnk

For example, we have seen it use the following random file names:

(8GB).lnk ACTIVE BOOT (8GB).lnk FLASH DRIVE (8GB).lnk KINGSTON (16GB).lnk Removable Drive (16GB).lnk Removable Drive (8GB).lnk TOSHIBA (4GB).lnk TOSHIBA (8GB).lnk Transcend (8GB).lnk

This file uses the Drive icon, similar to that below, to trick you into thinking this is a legitimate file:

Payload

Runs other malware

This threat loads other malware. We have seen it loading variants from the Win32/Gamarue family of worms.

When the shortcut file runs, it loads the DLL file by using the rundll32.exe command.

For example, we have seen it run the following command:

%SystemRoot%
undll32.exe ~$mdqfshozrjgtjc.bak,nampcorlybeybehd

Once the DLL is loaded, it decrypts and runs the encrypted data IndexerVolumeGuid, which is then detected as Worm:Win32/Gamarue.

Analysis by Ric Robielos
Last update 26 February 2019

TOP

Malware :

Last 20

Trojan:Win32/Lodbak.A!lnk

Aliases :

Explanation :

Malware :

Family: