Home / malware Trojan:Win32/Lecpetex.B
First posted on 13 April 2017.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Lecpetex.B.
Explanation :
Installation
Trojan:Win32/Lecpetex.B can be installed by TrojanDropper:Win32/Lecpetex.B.
When run it creates a copy of itself in C:\Temp:.dat, for example C:\Temp:00E3C68C.dat.
It modifies the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "svchost"
With data: "regsvr32 /s C:\Temp:.dat"
In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "svchost"
With data: "regsvr32 /s C:\Temp:.dat"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
With data: "1"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA With data: "1"
It creates a file called C:\Temp:rnd.dat to store downloaded data.
Payload
Trojan:Win32/Lecpetex.B can collect the following information from your PC:
- Computer name
- Operating system version
It sends these details to 207.12.89.163/index.php and waits for a response. Depending on the response from the remote site it might then:
- Download code and inject it into a new instance of explorer.exe
- Update itself
Additional information
This threat won't run if it detects that it is in a virtual environment. It also uses various anti debugging techniques.
Analysis by James Dee
Last update 13 April 2017
