Home / malwarePDF  

Backdoor:Win32/Letrofen.A


First posted on 19 February 2009.
Source: SecurityHome

Aliases :

There are no other names known for Backdoor:Win32/Letrofen.A.

Explanation :

Backdoor:Win32/Letrofen.A is a backdoor trojan that may be dropped in a system when a user browses certain malicious sites.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The presence of the following file:
    <system folder>winnet.dll
  • The presence of the following registry value and data:
    Value: "DllName"
    With data: "<system folder>winnet.dll"
    In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySystem


    • Backdoor:Win32/Letrofen.A is a backdoor trojan that may arrive in the system when a user browses certain malicious sites.

    Installation
    Backdoor:Win32/Letrofen.A may be dropped in the system by other malware when a user browses certain malicious sites containing an exploit identified as Exploit:JS/Mult.BF. When a webpage that includes Exploit:JS/Mult.BF is loaded, shellcode is executed in the system, which downloads a trojan dropper identified as TrojanDropper:Win32/Letrofen.A. When TrojanDropper:Win32/Letrofen.A is executed by the exploit, it drops a backdoor trojan identified as Backdoor:Win32/Letrofen as the following file:<system folder>winnet.dll Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. The registry is modified to execute Backdoor:Win32/Letrofen.A at each Windows start: Adds value: "DllName"With data: "<system folder>winnet.dll"To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySystem It creates the mutex "LengTroFeng".

    Payload
    Backdoor FunctionalityWhen executed, Backdoor:Win32/Letrofen.A runs a hidden copy of Internet Explorer to perform its backdoor routines. It connects to the following remote server and UDP port:jiaozhu100.9966.org:443 It may then accept commands from a remote attacker, including the following:
  • Terminate a process
  • Spawn a remote command shell
  • Take a screenshot of the desktop


    • Analysis by Patrick Nolan and Jireh Sanico

    Last update 19 February 2009

     

    TOP

    Malware :

    Family: