Win32/Lethic [Threat Name] go to Threat
Win32/Lethic.AA [Threat Variant Name]
| Category | trojan |
| Size | 43008 B |
| Detection created | Sep 11, 2009 |
| Detection database version | 10001 |
| Aliases | P2P-Worm.Win32.Palevo.rmm (Kaspersky) |
| VirTool:Win32/DelfInject.gen!BH (Microsoft) | |
| Generic.dx!nns.trojan (McAfee) |
Short description
Win32/Lethic.AA is a trojan that is used for spam distribution. It can be controlled remotely.
Installation
When executed, the trojan copies itself into the following location:
- C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe
The following file is dropped in the same folder:
- desktop.ini
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "Taskman" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
- "shell" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe"
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- "psysnew" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe"
Spam distribution
Win32/Lethic.AA is a trojan that is used for spam distribution.
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (1) URLs.
Other information
The trojan creates and runs a new thread with its own program code within the following processes:
- explorer.exe