Follow:

You have been re-routed to the Trojan:Win32/Lnkhyd.A write up because Trojan%3aWin32%2fLnkhyd.A has been renamed to Trojan:Win32/Lnkhyd.A
 

Trojan:Win32/Lnkhyd.A


Trojan:Win32/Lnkhyd.A is a trojan that sends information about the affected computer to a remote attacker. To execute, it modifies shortcut files in the computer to link back to it.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Lnkhyd.A is a trojan that sends information about the affected computer to a remote attacker. To execute, it modifies shortcut files in the computer to link back to it.
Installation
Trojan:Win32/Lnkhyd.A may arrive using the following file name:
 
  • vmware.exe
 
It may be installed in the computer with a DLL component that has various file names. It may create the following regsitry entries as part of its installation routine:
 
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{7A743737-FB8C-4366-9428-05F9F9766ED5}\1.0\0\win32
Sets value: "(default)"
With data: "<Malware File>"
 
In subkey: HKLM\SOFTWARE\Classes\CLSID\{72BB4C44-DD09-4F26-A317-D88EFF506576}\InprocServer32
Sets value: "(default)"
With data: "<Malware File>"
 
In subkey: HKLM\SOFTWARE\Classes\Interface\{12F8918A-6FE0-452C-B90D-006147867846}
Sets value: "(default)"
With data: "icopyhook"
 
In subkey: HKLM\SOFTWARE\Classes\TypeLib\{7A743737-FB8C-4366-9428-05F9F9766ED5}\1.0
Sets value: "(default)"
With data: "mycopyhook library"
 
In subkey: HKLM\SOFTWARE\Classes\Interface\{12F8918A-6FE0-452C-B90D-006147867846}\ProxyStubClsid
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"
 
In subkey: HKLM\SOFTWARE\Classes\Interface\{12F8918A-6FE0-452C-B90D-006147867846}\ProxyStubClsid32
Sets value: "(default)"
With data: "{00020424-0000-0000-c000-000000000046}"
 
In subkey: HKLM\SOFTWARE\Classes\Interface\{12F8918A-6FE0-452C-B90D-006147867846}\TypeLib
Sets value: "(default)"
With data: "{7a743737-fb8c-4366-9428-05f9f9766ed5}"
 
In subkey: HKLM\SOFTWARE\Classes\CLSID\{72BB4C44-DD09-4F26-A317-D88EFF506576}\TypeLib
Sets value: "(default)"
With data: "{7a743737-fb8c-4366-9428-05f9f9766ed5}"
 
In subkey: HKLM\SOFTWARE\Classes\CLSID\{72BB4C44-DD09-4F26-A317-D88EFF506576}
Sets value: "(default)"
With data: "copymain object"
 
In subkey: HKLM\SOFTWARE\Classes\directory\shellex\CopyHookHandlers\CopyMain
Sets value: "(default)"
With data: "{72bb4c44-dd09-4f26-a317-d88eff506576}"
 
To execute, Trojan:Win32/Lnkhyd.A searches for LNK files in the following locations:
 
  • %HOMEPATH%/Desktop
  • %PUBLIC%/Desktop
  • %ProgramFiles%
  • %AppData%\Microsoft\Internet Explorer\Quick Launch
 
It then changes the LNK file so that when opened it executes the malware. As a result, the LNK file is no longer able to access the program it should be executing.
Payload
Steals information
Trojan:Win32/Lnkhyd.A may connect to remote websites to send information about the computer, such as its MAC address and operating system version.
 
Analysis by Elda Dimakiling

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following file:
    vmware.exe
  • The presence of the following registry modifications:
  • In subkey: HKLM\SOFTWARE\Classes\TypeLib\{7A743737-FB8C-4366-9428-05F9F9766ED5}\1.0\0\win32
    Value: "(default)"
    Data: "<Malware File>"
     
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{72BB4C44-DD09-4F26-A317-D88EFF506576}\InprocServer32
    Value: "(default)"
    Data: "<Malware File>"
     
    In subkey: HKLM\SOFTWARE\Classes\Interface\{12F8918A-6FE0-452C-B90D-006147867846}
    Value: "(default)"
    Data: "icopyhook"
     
    In subkey: HKLM\SOFTWARE\Classes\TypeLib\{7A743737-FB8C-4366-9428-05F9F9766ED5}\1.0
    Value: "(default)"
    Data: "mycopyhook library"
     
    In subkey: HKLM\SOFTWARE\Classes\Interface\{12F8918A-6FE0-452C-B90D-006147867846}\ProxyStubClsid
    Value: "(default)"
    Data: "{00020424-0000-0000-c000-000000000046}"
     
    In subkey: HKLM\SOFTWARE\Classes\Interface\{12F8918A-6FE0-452C-B90D-006147867846}\ProxyStubClsid32
    Value: "(default)"
    Data: "{00020424-0000-0000-c000-000000000046}"
     
    In subkey: HKLM\SOFTWARE\Classes\Interface\{12F8918A-6FE0-452C-B90D-006147867846}\TypeLib
    Value: "(default)"
    Data: "{7a743737-fb8c-4366-9428-05f9f9766ed5}"
     
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{72BB4C44-DD09-4F26-A317-D88EFF506576}\TypeLib
    Value: "(default)"
    Data: "{7a743737-fb8c-4366-9428-05f9f9766ed5}"
     
    In subkey: HKLM\SOFTWARE\Classes\CLSID\{72BB4C44-DD09-4F26-A317-D88EFF506576}
    Value: "(default)"
    Data: "copymain object"
     
    In subkey: HKLM\SOFTWARE\Classes\directory\shellex\CopyHookHandlers\CopyMain
    Value: "(default)"
    Data: "{72bb4c44-dd09-4f26-a317-d88eff506576}"

Prevention


Alert level: Severe
First detected by definition: 1.71.1306.0
Latest detected by definition: 1.177.289.0 and higher
First detected on: Dec 24, 2009
This entry was first published on: Mar 02, 2011
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • W32/Lnkhyd.C.gen!Eldorado (Command)
  • Defiler (AVG)
  • Win32/Kirly.F (ESET)
  • Trojan.Win32.Lnkhyd (Ikarus)
  • Trojan.Win32.Nodef.xnw (Rising AV)
  • BKDR_DELF.OUM (Trend Micro)