Systweak Spyware Library
Systweak Spyware Library text
More than 21875 spyware signatures and growing
Microsoft Gold Certified Partner
Search in:
Trojan-Backdoor.lamebot Analysis Report
Threat Submitted On: 9/18/2008 6:41:52 PM
Threat Analysed On: 9/18/2008 11:41:52 PM
Threat Updated On: 1/27/2011 12:01:01 PM
Type : Trojan-Backdoor
Symptoms of lamebot
  • Performs malicious activities.
  • Fetches the user’s sensitive information.
  • Enables the attacker to control the system remotely.
Information
Alias : backdoor.win32.lamebot.i
Md5 Hash : [660c50f526a15c04e5c99c435d9f949f]
File Size : (15693 bytes)

Technical Details

Here are the Technical findings of our analysis team after analyzing this malware in detail :-

Creates the following infected Files on user's System
Note:
Delete the following Files to remove Infection
File: actsetup.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
32721a65c5d1b266711cd4ca52c3c32c ( 3172 bytes)
55f0c4835a42f23998579f5da64214ba ( 3172 bytes)
9dbebcf886cc84e5ddd443fa865d01c6 ( 1945 bytes)
a6720e73171b30650810e13aeb0c6026 ( 1945 bytes)
b9d8443b8d41a66f4fb1f65b7579fcc3 ( 1945 bytes)
File: apisvc.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
46485eabe70cf9634a55cc40f737f570 ( 36874 bytes)
497f286e37013eb7dbedaffa55106565 ( 36872 bytes)
eb95f1a91c80df2516266e2b8f0c4831 ( 13834 bytes)
File: gdb32.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
46d41b4dccba065fd3fdf57022345dd2 ( 3172 bytes)
50f705ea5eabf2475db9fb569bd236d5 ( 2633 bytes)
8b1a9e429b4d36c99bc4323c5e3185d6 ( 3172 bytes)
c0ad4f6d37d5969a36295dd44184295c ( 2633 bytes)
dddd3e0b7f51de941ea4915165a5557c ( 2633 bytes)
File: imode.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
37285cb4e2e201812adb8962bc61c66e ( 15169 bytes)
660c50f526a15c04e5c99c435d9f949f ( 15693 bytes)
c074606ed0794186faca8d8de1cc5130 ( 15169 bytes)
File: nfsiod.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
62f5204b0af276acd2aa9aa48b4c258d ( 15884 bytes)
b5e5297cd0097267f56dbd68c8180acf ( 50649 bytes)
File: scrsvc.exe
Path : %windir%\system32

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
5182f438e5098bf20ac06fc274e3a191 ( 36874 bytes)
766a0500d234ec5b96fb4b41a747ebe0 ( 36872 bytes)
File: [randomname].exe
Path : %workingdir%

Skip Navigation Links.
Collapse Md5Hash :Md5Hash :
00ddd83fc987faff21e9ea4820621ac3 ( 3172 bytes)
37285cb4e2e201812adb8962bc61c66e ( 15169 bytes)
43f3623da2f8e8129d75b2bbf6155e17 ( 35280 bytes)
46485eabe70cf9634a55cc40f737f570 ( 36874 bytes)
497f286e37013eb7dbedaffa55106565 ( 36872 bytes)
5182f438e5098bf20ac06fc274e3a191 ( 36874 bytes)
62f5204b0af276acd2aa9aa48b4c258d ( 15884 bytes)
660c50f526a15c04e5c99c435d9f949f ( 15693 bytes)
66fb27d712a5aa734136f8129f22a196 ( 3172 bytes)
766a0500d234ec5b96fb4b41a747ebe0 ( 36872 bytes)
a95075ca9bbe41b7c2037219f47aface ( 3174 bytes)
b5e5297cd0097267f56dbd68c8180acf ( 50649 bytes)
c074606ed0794186faca8d8de1cc5130 ( 15169 bytes)
eb95f1a91c80df2516266e2b8f0c4831 ( 13834 bytes)
The following Registry Values are added to the provided Registry Keys :-
Note:
Delete the added Values from the Key to remove Infection
|__ Value Added :
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzx = "x"
|__ Value Added :
apisvc.exe = "%windir%\system32\apisvc.exe"
|__ Value Added :
scrsvc = "%WINDIR%\system32\scrsvc.exe"
Creates the following child process(s) on execution:

%windir%\system32\imode.exe

%windir%\system32\imode.exe k33pm3

services.exe

Creates the Following MUTEX(s) on user's System:-
raspbfile
/sys/i386/conf/lint
lamebotv4
lamebotv5
lamebotv6
lamebotv7
lamebotv8
lamebotv9
lamebotva
lamebotvb
lamebotvc
lamebotvd
lamebotve
lamebotvf
lamebotv10
lamebotv11
lamebotv12
lamebotv13
lamebotv14
lamebotv15

NOTE:

1. %windir% Refers to the windows root folder. By default it is 'C:\Windows'
2. %workingdir% Refers to the current directory in which user is working.

Important: We strongly recommend that you backup the Registry before making any changes to it. Incorrect changes to the Registry can result in permanent data loss or corrupted Files. Modify the malicious\suspicious Subkeys only.

Click Here for more spywarelib.com recommended PC Security and Optimization Tools

To modify registry entries in Windows Operating System:
Follow Steps:
1. Click Start > Run
2. Type “regedit” : to open registry editor
3. Navigate to required registry Key from the Left Tree control and modify accordingly.


Microsoft Gold Certified Partner

© Systweak Inc., 1999-2011 All rights reserved.