Virus Detail

Win32/Karwnlam.E

Date Published:
14 Jul 2008

Last Updated:
14 Jul 2008

Threat Assessment

Overall Risk: Low

Wild: Low

Destructiveness: Medium

Pervasiveness: None

Characteristics

Type : Trojan

Category : Win32

Also known as: Trojan:Win32/Laqma.B (MS OneCare)

Immediate Protection Info

Signature	Product	Removal Instructions
31.6.5848	CA Antivirus 2007	View
31.6.5848	eTrust Antivirus v7/8*	View
7.x/5848	eTrust EZ Antivirus 7.x	View
31.6.5848	Vet 7	View

Tools

Signature file information

Scan for viruses

Submit a Virus Sample

Description

Method of Infection

Payload

Description

Win32/Karwnlam.E is a trojan that is capable of gathering and stealing system information from a compromised machine and sending it to a remote server. It also implements rootkit functionality to disguise its presence on a machine.

Method of Infection

When executed, Win32/Karwnlam.E copies itself to the %System% directory as "lanmanwrk.exe", then sets the following registry entry which allows it to automatically run at system start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lanmanwrk.exe clean = "%System%\lanmanwrk.exe clean"

Note: %System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32.

It also drops these files to the %System% directory:

qmopt.dll
lanmandrv.sys

The trojan installs the file "lanmandrv.sys" as a new service named "lanmandrv". The service automatically loads at each system start. Win32/Karwnlam.E also sets the following associated registry entries:

HKLM\SYSTEM\CurrentControlSet\Services\lanmandrv\Type = 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\lanmandrv\Start = 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\lanmandrv\ErrorControl = 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\lanmandrv\ImagePath = "%System%\lanmandrv.sys"
HKLM\SYSTEM\CurrentControlSet\Services\lanmandrv\DisplayName = "lanmandrv"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV\0000\Service = "lanmandrv"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV\0000\Service\Legacy = 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV\0000\Service\ConfigFlags = 0x00000001
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV\0000\Service\Class = "LegacyDriver"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV\0000\Service\ClassGUID = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV\0000\Service\DeviceDesc = "lanmandrv"

Payload

Stealths Itself

Win32/Karwnlam.E uses a rootkit technique to stealth itself at execution. This allows it to:

Hide from process monitoring tools such as Task Manager
Hide its dropped files from directory list using tools such as Windows Explorer and Command Prompt
Hide its remote connections in order to make itself invisible from port monitoring tools
Hide the created registry and service

The rootkit component hooks System Service Descriptor Table (SSDT) functions to hide the installation of the trojan, which purposely aims to avoid detection.

Steals Sensitive Information

Win32/Karwnlam.E may gather sensitive system information about the compromised machine, such as its operating system, version and IP address. It may then report this information via HTTP protocol to a remote web server at IP address 208.72.168.139.

Analysis by Methusela Ferrer