Home / malwarePDF  

TrojanSpy:Win32/Lurk.D


First posted on 09 June 2012.
Source: Microsoft

Aliases :

TrojanSpy:Win32/Lurk.D is also known as Trojan-Spy.Win32.Lurk.yr (Kaspersky), W32/Lurk.C (Norman), TROJ_SPNR.0CES12 (Trend Micro).

Explanation :



TrojanSpy:Win32/Lurk.D is a trojan that could capture personal data when using a web browser and download other malware.



Installation

This trojan was installed by other malware such as Exploit:Java/CVE-2011-3521.A. TrojanSpy:Win32/Lurk.D is present as a file in the Temporary files folder and runs when you start Internet Explorer.



Payload

Downloads arbitrary files

We observed TrojanSpy:Win32/Lurk.D to contact one of three Internet servers to send a notification of its installation:

  • <deleted>.trackerud.com
  • <deleted>.adbullion.com
  • 88.80.13.119 /<deleted>


When connected to the server, the trojan could download an update of Lurk.

Additional information

The malware does not install if it determines that certain security applications are already installed. It determines if your computer has security software installed by searching for the following subkeys within the registry hives HKCU & HKLM:

Software\Mcafee
Software\Zone Labs
Software\Symantec
Software\FRISK SOftware
Software\ESET
Software\AVG
Software\Microsoft\OneCare Protection
Software\Classes\CLSID\{D5507020-DB45-11D1-A5F0-00600872F78D} (Norman)
Software\Sophos
Software\Avira
Software\Symantec\IDS
Software\Microsoft\Microsoft Antimalware
Software\HAURI\ViRobot
Software\BitDefender
Software\MicroWorld
Software\K7 Computing
Software\Sunbelt Software
Software\Kingsoft
Software\Doctor Web
Software\PCSI
Software\Antiy Lab
Software\rising
Software\Panda Software
Software\CA
Software\Emsi Software
Software\Hacksoft
Software\ComodoGroup
Software\G Data\Common
Software\Vba32
Software\Webroot
Software\JiangMin
Software\PCTools
Software\Authentium
Software\KasperskyLab\LicStorage
Software\TrendMicro
Software\Microsoft\Windows Defender
Software\Ikarus
Software\Lavasoft



Analysis by Patrick Estavillo

Last update 09 June 2012

 

TOP