Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Lypserat.A

Aliases:Trojan.Win32.Buzus.coro (Kaspersky), VirTool:Win32/VBInject.gen!CI (Microsoft), BackDoor.Poison.1021 (Dr. Web) 
Type of infiltration:Trojan  
Size:225002 B 
Affected platforms:Microsoft Windows 
Signature database version:4994 (20100402) 

Short description

The trojan contains a backdoor. It can be controlled remotely.

Installation

When executed, the trojan copies itself in some of the the following locations:
  • %windir%apocalyps32.exe
  • %appdata%apocalyps32.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "apocalyps32" = "%windir%apocalyps32.exe"
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "apocalyps32" = "%appdata%apocalyps32.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "UserInit" =
    "%system%userinit.exe,%windir%apocalyps32.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "apocalyps32" = "%windir%apocalyps32.exe"
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    Run]
    "apocalyps32" = "%appdata%apocalyps32.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Winlogon]
    "UserInit" =
    "%system%userinit.exe,%windir%apocalyps32.exe"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive Setup
    Installed Components{327PPTME-67W3-W76L-5RW3-020E3H1XM1PU}]
    "StubPath" = "%windir%apocalyps32.exe"

Information stealing

The trojan collects the following information:
  • user name
  • computer name
  • CPU information
  • operating system version
  • the path of a specific folder
  • Registry entries
The trojan can send the information to a remote machine.

Other information

The trojan receives data and instructions for further action from the Internet or another remote computer within its own network (botnet). It may perform the following actions:
  • log keystrokes
  • delete files
  • create files
  • run executable files
  • create folders
  • delete folders
  • log keystrokes
  • delete files
  • create files
  • run executable files
  • create folders
  • delete folders
  • create Registry entries
  • delete Registry entries
  • send the list of running processes to a remote computer
  • send files to a remote computer
  • send the list of disk devices and their type to a remote
    computer
  • capture webcam video/voice
  • shut down/restart the computer
  • steal information from the Windows clipboard
  • capture screenshots
  • send the numbers of opened TCP and UDP ports to a remote
    computer
  • download files from a remote computer and/or the Internet