W32.Lurkasys.A


Aliases: Virus:Win32/Lurka.A, IM-Worm.Win32.VB, W32.Lurkasys.A!inf, Virus.Win32.Funtik.a, Win-Trojan/Blank.34304
Variants: PE_LURKER.A-O, Backdoor.Win32.Bifrose.ago, W32/Lurka.a.sys, BDS/Agent.YPB.18, W32/Lurka-A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, Europe
Removal: Easy
Platform: W32
Discovered: 26 Dec 2007
Damage: Medium

Characteristics: Execution of the W32.Lurkasys.A in a vulnerable computer system leads to the corruption of virtually all executable files stored in the local hard drive. The infected executable files may prevent legitimate applications from launching in the compromised machine. This can lead to the lowering of security settings especially with the infection of executable files associated with security applications. This malware may drop a backdoor component using another threat.

More details about W32.Lurkasys.A

There are two new files that are created by the W32.Lurkasys.A malware when it is launched into a compromised computer system. One file makes use of the SYS file extension while the other uses the TMP format. These files are stored under the directory folder of the operating system to give them the appearance of authenticity. The W32.Lurkasys.A will modify the contents of the Windows Registry by adding a new key value that will give it the functionality of executing simultaneously with the operating system at every startup or boot up instance. The SYS format file is introduced by the W32.Lurkasys.A into the Windows Registry to prevent the infected computer system from booting into Safe Mode.

The Kernel OpenGL Service is created by the W32.Lurkasys.A in the Windows Registry service. This service is given an automatic startup property allowing it to load on system startup. This routine provides the malware with the ability to hide its background running processes from system monitoring tools and antivirus applications. Corresponding Windows Registry entries are maintained by the W32.Lurkasys.A for the newly created service. After successfully starting the service the W32.Lurkasys.A will begin its infection routine by targeting all executable files in the machine. It will then proceed to download a copy of a backdoor malware variant.