Backdoor:Win32/Lukicsel.A is a backdoor trojan that allows remote access and control. It may also copy itself to removable drives.
When run, an error message may be displayed with the following text:
"File MSDXSND.DLL not found."
Backdoor:Win32/Lukicsel.A checks for or creates the event "blahblah" to ensure that it only loads once. The trojan will drop the following components detected as Win32/Lukicsel.A and Win32/Lukicsel.B:
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for other Windows versions it is commonly C:\Windows\System32.
The trojan creates the following registry value and data:
Adds value: "data1"
With data: "<hexadecimal data>"
To subkey: HKLM\SOFTWARE\Microsoft\Active Setup\Data
It also modifies the registry to run the file "updatenf.dll" every time Windows starts:
Adds value: "DllName"
With data: "updatenf.dll"
Adds value: "Startup"
With data: "WinlogonStartupEvent"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\UpdateNf
The trojan injects code into running processes including "winlogon.exe" and "svchost.exe". The malware also creates a Windows firewall exception rule for "winlogon.exe" by modifying the registry.
Adds value: "<system folder>\winlogon.exe"
With data: "<system folder>\winlogon.exe:*:enabled:@shell32.dll,-1"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
The malware injects code into the running process "winlogon.exe" that drops a copy of Win32/Lukicsel to removable drives as an executable. The trojan then writes an autorun configuration file named "autorun.inf" pointing to the dropped copy. When the removable drive is accessed from a machine supporting the Autorun feature, the malware is launched automatically.
Allows remote access and control
The malware drops another file "<system folder>\api.dat" used by the trojan component "<system folder>\api32.dll". This component performs the following actions, allowing remote access and control by an attacker:
Backdoor:Win32/Lukicsel.A simulates a gnutella peer-to-peer (p2p) client and attempts connections with the following websites using varied TCP ports (in parenthesis):
Once connected, it may allow a remote attacker to perform the following:
download files onto the computer
capture keystrokes to the file "<system folder>\api.dat"
redirect or capture traffic
initiate P2P connections
do other malicious activities
Analysis by Tim Liu