Home / malware Backdoor.Lapadin
First posted on 14 August 2014.
Source: SymantecAliases :
There are no other names known for Backdoor.Lapadin.
Explanation :
When the Trojan is executed, it uses one of the service names found in the following registry subkey in order to name its files and registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost\netsvcs
Next, the Trojan creates the following files: %System%\[SERVICE NAME]ex.dll%System%\install.tmp
The Trojan then adds %System%\[SERVICE NAME]ex.dll as a service.
The Trojan then creates the following registry entries: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SERVICE NAME]\"DisplayName" = "[SERVICE NAME]"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SERVICE NAME]\Parameters\"ServiceDll" = "%System%\[SERVICE NAME]ex.dll" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Ias\"Description" = "Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start."
Next, the Trojan connects to the following remote locations: technology.trendmicro.org.twey.avstore.com.twchanxe.avstore.com.twjackyandy.avstore.com.twnewb02.skypetm.com.tw
The Trojan may then perform the following activities: Create a remote shellDisable the mouse and keyboardSimulate mouse and keyboard interactions
Gather and replace clipboard dataGather details on the size and free space of local drivesGather details on the computer's processor speedGather details on the webcam driver's version description, if presentDownload and upload filesDelete, move, and search for filesDelete OS event logDelete foldersDelete itselfLast update 14 August 2014
