Trojan-Spy.Win32.Luzia.ad

tag:Trojan Spy

The Trojan terminates the following processes:

accwiz32.exe
ahui32.exe
ahui32.exe
ashserven.exe
avgshserven.exe
bluetooth.exe
cmd32.exe
directsnd.exe
dxdiag32.exe
dxdiags.exe
dxdrv.exe
iexplorer.com
iexplorer.exe
msn_explorer.exe
msnscr.exe
spolsv.exe
spolsv.scr
svghosts.exe
system32.exe
terraxp.exe
winlogon32.exe
winmgmt.exe
winplay.exe
wscntfy.exe
wupdmgr32.exe

The Trojan tracks keystrokes in certain windows. The window titles are contained in an encrypted list in the body of the Trojan. The Trojan will save log files containing details of the sequence of keys pressed by the user to the following folder:

%System%\winmgmt32

The file names will have the following format: dmY-HMS. dmY is used to denote the date the file was created; HMS is used to denote the time the file was created.

The Trojan will periodically take screenshots of the currently active window.

The screenshots will be saved, with a .jpg extension, to the following folder:

%System%\winmgmt32

The Trojan will upload all files in %System%\winmgmt32 to the remote malicious user's FTP server:

Bonege***.serveftp.com

Use Task Manager to terminate the Trojan process
Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
Delete the following file:
```
%System%\winmgmt32.exe
```
Delete the following folder and its contents:
```
%System%\winmgmt32
```

Delete the following system registry key parameter:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winmgmt32.exe" = "%System%\winmgmt32.exe"

Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).

This Trojan harvests information from the victim machine. It is a Windows PE EXE file. It is 164,864 bytes in size. It is packed using PECompact. The unpacked file is approximately 680KB in size. It is written in C .
Installation
When launched, the Trojan copies its executable file to the Windows system directory:
```
%System%\winmgmt32.exe
```
In order to ensure that the Trojan is launched automatically when the system is rebooted, the Trojan registers its executable file in the system registry:
```
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"winmgmt32.exe" = "%System%\winmgmt32.exe"
```
Payload

previous:Trojan-Spy.Win32.Kraimer.12
previous:Trojan-Spy.Win32.Montp.p

Virus Source from:

New articles

TSPY_ZBOT.XMASThis spyware may be dropped by other malware. It may be unknowingly downloaded by a user while visiting malicious websites. It may be downloaded from remote ...Trojan.Win32.FraudPack.bgveThis Trojan is designed to install and launch other programs on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. ...Sinowal.VXRSinowal.VXR is a Trojan designed to steal information related to certain British banking entities. It obtains confidential information related to users' login f...Trojan.Spy.ZBot.EHAt execution this malware is a trojan that copies itself in %WINDIR%\system32\ntos.exe (or C:\Documents and settings\%username%\Application Data\) and he will c...Trojan.Spy.Webmoner.CE-In order to outwit the user, the fileofen has an icon of an installeror of a well-known file type(e.g. Media Player files, IE files); also, it may have names l...

Hot Articles

Trojan-Spy.Win32.Luzia.ad

Computer Virus Clounds