LazyAdmin, also known as Lazymin or Lamin, is a polymorphic virus that infects 32-bit windows systems. It also contains a keylogger and a backdoor server function.

Behavior

When an infected file is executed, LazyAdmin decrypts itself and becomes memory resident. It creates a .dll file in the the System folder with a random name or at the root of the C: drive as Rar$DI01.903. This file is responsible for all the virus's malicious activities. It then executes the .dll file and returns control to the original host program. The .dll file logs all keystrokes on the system.

This file is also responsible for file infection. Every 5 minutes, LazyAdmin searches drives A: to Z: for executable files to infect and appends itself to them. It avoids files with the strings "NAVW32" and "RUNDLL32".

It interferes with the operation of the programs Regmon and Filemon, the programs that respectively monitor changes to the registry and the file system. It deletes the files avp_cure.bat and Rar$DI01.903

It sets the registry keys and values to:

• HKEY_CLASSES_ROOTCLSID/{52F7FFDF-D0CF-5CC3-5F4F-C6D8F7D65F0D}/InProcServer32 (Default)="%System%[name of the dll component].dll"
• HKEY_LOCAL_MACHINE/Software/Microsoft/MSDN "IDT" "PSBAHMBS" "Fprt" "KSE" "Ekey ID"

After infection, LazyAdmin attempts to connect to an IRC server and join a chatroom on that server. It waits for a connection from the servers irc.arkhnet.com, irc.dal.net, irc.rtdptrx.es, and powertech.no.eu.dal.net. The virus attempts to bypass certain personal firewall products by creating registry keys that allow the communication.

It contains the lines:

LazyAdmin-VX v3.1 by ArkhAdmin
[DLL] Release: 12:00 07/20/2003
-LazyUsхrs-

Variants

LazyAdmin.B, a much more sophisticated version of the original, was discovered around the 5th of November in 2003. The .exe infection takes up 32,768 bytes, while the .dll is 31,964 bytes. In addition to logging keystrokes, it grabs clipboard content, collects system information (including IP addresses), captures what is displayed on the monitor, and steals passwords. It installs an FTP server on the infected machine, connected to port 14400 by default (though can be modified by the attacker). It gives the attacker the ability to open and close ports, close applications, format the hard drive, reboot the system, erase the CMOS, and download and execute files.

It uses RUNDLL32.EXE (a legitimate Windows utility that allows you to run a DLL as an application) to run the DLL and returns control to the host program. It adds the followin registry key/value combination to register itself as a service: HKEY_CLASSES_ROOT\CLSID\{52F7FFDF-D0CF-5CC3-5F4F-C6D8F7D65F0D}\InProcServer32 "(Default) = [name].dll" and "ThreadingModel = Apartment". It also adds the entries "IDT", "PSBAHMBS", "Fprt", "KSE", and "EkeyID" to the key HKEY_LOCAL_MACHINE\Software\Microsoft\MSDN which it uses to store the information of the installed FTP server (port, runtime, etc.).

It searches for files to infect on drives from C: to Z: every 5 minutes.

It listens on port 6667 for the servers irc.dal.net, irc.arkhnet.com, irc.rtdptrx.es, and powertech.no.eu.dal.net. It awaits commands from a remote user and can carry out the actions

LazyAdmin.B deletes the files C:\avp_cure.bat and C:\Rar$DI01.903 to hinder some antivirus programs. It also hinders the activity of Regmon and Filemon.

Origin

When the virus is unencrypted, it shows the possible signature of its creator, ArkhAdmin. This name has not been seen before or again. In spite of being polymorphic and encrypted, it could be detected with heuristics before there was a signature for the virus, probably because the key was four bytes long and the scheme was always a simple XOR. Given the domains of the servers it connects to, possible places of origin include Spain or Norway.

Other Facts

There is also a worm that some antivirus products detect by the name Lamin. It is not related.

Sources

Kaspersky Lab, VIRUS.WIN32.LAZYMIN. 16-OCT-2003

Neal Hindocha. Symantec, W32.Lamin. 09-DEC-2002

VSantivirus, W32/Lamin.B. Peligroso virus, gusano y caballo de Troya. 17-NOV-2003

virus file_virus win32 win32_virus ms_windows ms_windows_virus 2002 2002_virus