Home / malwarePDF  

Trojan:Win32/Lethic.F


First posted on 16 May 2012.
Source: Microsoft

Aliases :

There are no other names known for Trojan:Win32/Lethic.F.

Explanation :



Trojan:Win32/Lethic.F is a trojan that connects to remote servers, which may give an unauthorized user access of an affected computer.



Installation

When executed, Trojan:Win32/Lethic.F copies itself as the following:

  • C:\Recycler\s-1-5-21-0243236031-425636379-881863308-0455\freegifthq.exe
  • C:\Recycler\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe
  • C:\Recycler\s-1-5-21-0243336031-4052116379-881863308-0851\vss132.exe
  • C:\Recycler\s-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe


It modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Taskman"
With data: "C:\Recycler\s-1-5-21-0243236031-425636379-881863308-0455\freegifthq.exe"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Taskman"
With data: "C:\Recycler\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe"

In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,C:\Recycler\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Tnaww"
With data: "C:\Recycler\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "12CFG914-K641-26SF-N32P"
With data: "C:\Recycler\s-1-5-21-0243336031-4052116379-881863308-0851\vss132.exe"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "12CFG914-K641-26SF-N32P"
With data: "C:\Recycler\s-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe"

It also creates the following files on an affected computer:

  • C:\Recycler\s-1-5-21-0243236031-425636379-881863308-0455\desktop.ini
  • C:\Recycler\s-1-5-21-0243556031-888888379-781863308-1413\desktop.ini
  • C:\Recycler\s-1-5-21-0243336031-4052116379-881863308-0851\desktop.ini


It uses code injection to hinder detection and removal. When Trojan:Win32/Lethic.F executes, it may inject code into running processes, for example "explorer.exe".



Payload

Connects to a remote server

Win32/Lethic attempts to establish a connection to remote servers through various TCP ports. For example:

  • 220.196.42.133 via TCP port 1199
  • 64.120.147.197 via TCP port 8900
  • newss.alwaysproxy.info via TCP port 1199


Once connected, it may allow remote access and control of an affected computer.



Analysis by Hyun Choi

Last update 16 May 2012

 

TOP

Malware :

Family: