CERT-MU Virus Alert VA-2010-3

TrojanDropper: Win32/Lisiu.A

Original issue date: March 30, 2010

It has been observed that TrojanDropper Win32/Lisiu.A is in the wild. It is a family of Trojan downloader’s that install additional malware onto the infected system and give unauthorised access to the victim system. It opens random ports and tweak registry keys to bypass the Windows firewall and potentially download further malware.

The trojan is reported as downloaded from remote system after successful exploitation of a recently patched zero day vulnerability in Microsoft internet Explorer (CVE-2010-0806 ).

The trojan is also downloaded unknowingly by a user when visiting a malicious Web site or can also be dropped by other malware. The trojan installs QVOD media player on to the victim machine.

Aliases:

W32/TrojanX.CXAB (Authentium (Command)) , Trojan.Win32.KillAV.fen (Kaspersky), Trojan.AVKill.1603 (Dr.Web), Win32/KillAV.NHH (ESET) , TROJ_LISIU.SML (Trend Micro)

• Drops following files
• %SystemDrive%\111.exe
• %SystemDrive%\qvodsetupplus3.exe
• %Temp%\qd.ini
• <system folder>\mswsock32.dll
• <system folder>\imedllhost09.ime
• Modify the registries
• HKLM\SYSTEM\ControlSet001\Control\
  Keyboard Layouts\E0200804\
  "imedllhost09.ime"="Ime File"
• KCU\Keyboard Layout\Preload\
  2= e0200804
• HKLM\SYSTEM\Setup\AllowStart\
  SPI_Pause\<system folder>\
  1001= mswsock.dll
• dd c\idw\ytm2mwok2dl8c33
  -9f4753f53ea5}"
  to value PackedCatalogItem
  for all subkeys
• KLM\SYSTEM\ControlSet001\Services\
  WinSock2\Parameters\Protocol_Catalog9\
  Catalog_Entries\000000000001 to
  HKLM\SYSTEM\ControlSet001\
  Services\WinSock2\Parameters\
  Protocol_Catalog9\Catalog_Entries\
  000000000017
• KLM\SYSTEM\CurrentControlSet\Services\
  SharedAccess\Parameters\FirewallPolicy\
  StandardProfile\AuthorizedApplications\
  List\%SystemDrive%\QvodSetupPlus3.exe=
  %SystemDrive%\qvodsetupplus3.exe:*:
  enabled:qvod
• Open the following ports 21775, 22262, 8090 (UDP) , 8090(TCP)
• Requests to the following domains
• agent.qvod . com
• tun.qvod . com
• tun01.sipphone . com
• rack.qvod . com
• pdate.qvod . com

In view of propagation of the Lisiu.A rojan variants, users are advised to implement the following countermeasures:

• Delete executables with the abovementioned names.
• Delete the registry entries made by the Trojan a mentioned above.
• Install and maintain updated anti-virus software at gateway and desktop level.
• Keep up-to-date on patches and fixes on the operating system.
• Install and maintain Desktop Firewall and block the ports which are not required.
• Exercise caution while visiting trusted/untrusted sites.
• Disable Active Scripting through Browsers while visiting untrusted websites.

References
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=TrojanDropper%3aWin32%2fLisiu.A
http://www.microsoft.com/security/portal/Threat/Encyclopedia/
Entry.aspx?Name=Trojan%3aWin32%2fLisiu.A
http://www.threatexpert.com/report.aspx?md5=f6126758d79255
c1047444d8d987a1e1
http://www.cert-in.org.in/currentacts/currentact.htm#Exploit
http://www.microsoft.com/technet/security/Bulletin/
MS10-018.mspx
http://www.cert-in.org.in/vulnerability/civn-2010-66.htm

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

E-mail:


Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
9th Floor, Stratton Court
La Poudriere Street
Port Louis