Follow:

 

Trojan:Win32/Lisiu.A


Trojan:Win32/Lisiu.A is a trojan that can terminate certain system processes. It usually arrives in the computer by being dropped by TrojanDropper:Win32/Lisiu.A in the Windows system folder.


What to do now

Manual removal is not recommended for this threat. To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Microsoft Safety Scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.
Additional remediation instructions for this threat
This threat may make lasting changes to a computer’s configuration that are NOT restored by detecting and removing this threat. For more information on returning an infected computer to its pre-infected state, please see the following article/s: 

Threat behavior

Trojan:Win32/Lisiu.A is a trojan that can terminate certain system processes. It usually arrives in the computer by being dropped by TrojanDropper:Win32/Lisiu.A in the Windows system folder.
Installation
Trojan:Win32/Lisiu.A may be dropped by TrojanDropper:Win32/Lisiu.A as the following files:
 
  • <system folder>\mswsock32.dll
  • <system folder>\imedllhost09.ime
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
 
It may create or modify (if they exist) the following registry entries, in effect installing its components:
 
Adds value: "Ime File"
With data: "imedllhost09.ime"
To subkey: HKLM\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804
 
Adds value: "2"
With data: "e0200804"
To subkey: HKCU\Keyboard Layout\Preload
 
Adds value: "1001"
With data: "<system folder>\mswsock.dll"
To subkey: HKLM\SYSTEM\Setup\AllowStart\SPI_Pause
 
Trojan:Win32/Lisiu.A creates the following mutex to ensure only one instance of itself is running in memory:
 
  • __ssav
Payload
Terminates processes
Trojan:Win32/Lisiu.A terminates the following processes and removes their corresponding services from the system registry:
 
  • 360deepscan.exe
  • 360safe.exe
  • 360tray.exe
  • alg.exe
  • avp.exe
  • ccenter.exe
  • ccsvchst.exe
  • dsmain.exe
  • egui.exe
  • ekrn.exe
  • hwapi.exe
  • krnl360svc.exe
  • mcagent.exe
  • mclogcln.exe
  • mcnasvc.exe
  • mcods.exe
  • mcpromgr.exe
  • mcregist.exe
  • mcshield.exe
  • mcsvrcnt.exe
  • mcsysmon.exe
  • mctskshd.exe
  • mcupdmgr.exe
  • mcupdui.exe
  • mcusrmgr.exe
  • mcvsshld.exe
  • mpfalert.exe
  • mpfsrv.exe
  • ravmond.exe
  • ravtask.exe
  • redirsvc.exe
  • rsnetsvr.exe
  • rstray.exe
  • safeboxtray.exe
  • scanfrm.exe
  • superkiller.exe
  • zhudongfangyu.exe
 
Some of these processes may be associated with security software.
 
Trojan:Win32/Lisiu.A may also stop the service for the following file in system folder:
 
  • KillIS.sys
 
Connects to a Web site
Trojan:Win32/Lisiu.A connects to the following Web site:
 
  • b.vv29.com
 
It opens a specific ASP page from this site. It may also download and execute a file from this site. At the time of this writing, the file to be downloaded is not available.
 
Analysis by Francis Allan Tan Seng

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    • <system folder>\mswsock32.dll
    • <system folder>\imedllhost09.ime
  • The presence of the following registry modifications:
  • Value: "Ime File"
    With data: "imedllhost09.ime"
    To subkey: HKLM\SYSTEM\ControlSet001\Control\Keyboard Layouts\E0200804
     
    Value: "2"
    With data: "e0200804"
    To subkey: HKCU\Keyboard Layout\Preload
     
    Value: "1001"
    With data: "<system folder>\mswsock.dll"
    To subkey: HKLM\SYSTEM\Setup\AllowStart\SPI_Pause
  • Some of your processes or services, especially those that may be related to security software, are not working properly

Prevention


Alert level: Severe
First detected by definition: 1.71.2473.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jan 20, 2010
This entry was first published on: Apr 22, 2010
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/AVKiller.36864 (AhnLab)
  • Trojan.Win32.KillAV.fev (Kaspersky)
  • TR/Killav.fev.4 (Avira)
  • Win32/KillAV.PW (CA)
  • Trojan.AVKill.1318 (Dr.Web)
  • Win32/KillAV.NHA (ESET)
  • Trojan.Win32.Killav (Ikarus)
  • Lisiu (McAfee)
  • TROJ_KILLAV.AJM (Trend Micro)