Home / malware
First posted on 23 May 2019.
There are no other names known for Trojan:Win32/Lodbak.A.
This threat is usually installed on a removable drive by Worm:Win32/Gamarue. If you use an infected removable drive, the threat might then be installed on your PC.
The threat installs a shortcut file - detected as Trojan:Win32/Lodbak.A!lnk - as well as encrypted data onto you PC.
The threat is installed as a DLL file using a random file name in the following format:
For example, we have seen it use the following random file names:
~$jemce.bak ~$mdqfshozrjgtjc.bak ~$odshpmzlsyzzsqqtzre.bak ~$omhaeudssbwizasttdiyftnzro.bak ~$pfrmgrpkcvafufkipckvvljeyitesjuavjffdcpp.bak
The encrypted data file name is IndexerVolumeGuid.
Runs other malware
This threat loads other malware. We have seen it loading variants from the Win32/Gamarue family of worms.
When the shortcut file runs, it loads the DLL file by using the rundll32.exe command.
For example, we have seen it run the following command:
Once the DLL is loaded, it decrypts and runs the encrypted data IndexerVolumeGuid, which is then detected as Worm:Win32/Gamarue.
Analysis by Ric Robielos
Last update 23 May 2019