Win32/Lamechi [Threat Name] go to Threat

Win32/Lamechi.F [Threat Variant Name]

Category trojan
Size 34816 B
Detection created Nov 24, 2010
Detection database version 5645
Aliases Trojan.Win32.Vilsel.aqyv (Kaspersky)
  TrojanDropper:Win32/Lamechi.A (Microsoft)
  Trojan.Zlob (Symantec)
Short description

Win32/Lamechi.F is a trojan which tries to download other malware from the Internet.

Installation

When executed, the trojan creates the following files:

  • %temp%\­%variable% (38912 B, Win32/Lamechi.F)
  • %systemroot%\­system32\­rmoc3260.tlb (38912 B, Win32/Lamechi.F)

A string with variable content is used instead of %variable% .


The trojan modifies the following file:

  • %system%\­actxprxy.dll

The modified file contains the original program code along with the program code of the infiltration.


The trojan may create the following files:

  • %programfiles%\­Real\­atrc32.dll
  • %programfiles%\­Real\­pnen3260.dll
  • %programfiles%\­Real\­pngu3267.dll

The trojan may set the following Registry entries:

  • [HKEY_CLASSES_ROOT\­CLSID\­{AD26AC5F-8421-419C-8692-ED1FE74D0FE8}\­InprocServer32]
    • "Default" = "%programfiles%\­Real\­atrc32.dll"
    • "ThreadingModel" = "Apartment"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­ShellServiceObjectDelayLoad]
    • "RealCodec" = "{AD26AC5F-8421-419C-8692-ED1FE74D0FE8}"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
  • %filepath%

Instead of %filepath% , the value(s) are taken from the following Registry entry:

  • [HKEY_CLASSES_ROOT\­htmlfile\­shell\­open\­command]
    • "Default" = "%filepath%"
Other information

The trojan tries to download several files from the Internet.


The trojan contains a list of (5) URLs. The HTTP protocol is used.


The downloaded files contain encrypted executables.


These are stored in the following locations:

  • %appdata%\­Tencant\­%variable%.exe

After decryption, the trojan runs these files.


A string with variable content is used instead of %variable% .


The trojan may execute the following commands:

  • calc.exe
  • osk.exe

The trojan can create and run a new thread with its own program code within the following processes:

  • calc.exe
  • osk.exe

The trojan may delete the following files:

  • %appdata%\­Tencent\­iphlpapi.dll

Please enable Javascript to ensure correct displaying of this content and refresh this page.