Home / malwarePDF  


First posted on 23 May 2019.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Lodbak.A.

Explanation :


This threat is usually installed on a removable drive by Worm:Win32/Gamarue. If you use an infected removable drive, the threat might then be installed on your PC.

The threat installs a shortcut file - detected as Trojan:Win32/Lodbak.A!lnk - as well as encrypted data onto you PC.

The threat is installed as a DLL file using a random file name in the following format:

~$< random>.bak

For example, we have seen it use the following random file names:

~$jemce.bak ~$mdqfshozrjgtjc.bak ~$odshpmzlsyzzsqqtzre.bak ~$omhaeudssbwizasttdiyftnzro.bak ~$pfrmgrpkcvafufkipckvvljeyitesjuavjffdcpp.bak

The encrypted data file name is IndexerVolumeGuid.


Runs other malware

This threat loads other malware. We have seen it loading variants from the Win32/Gamarue family of worms.

When the shortcut file runs, it loads the DLL file by using the rundll32.exe command.

For example, we have seen it run the following command:

undll32.exe  ~$mdqfshozrjgtjc.bak,nampcorlybeybehd

Once the DLL is loaded, it decrypts and runs the encrypted data IndexerVolumeGuid, which is then detected as Worm:Win32/Gamarue.

Analysis by Ric Robielos

Last update 23 May 2019