Win32/Lethic [Threat Name] go to Threat

Win32/Lethic.AA [Threat Variant Name]

Category trojan
Size 43008 B
Detection created Sep 11, 2009
Detection database version 10001
Aliases P2P-Worm.Win32.Palevo.rmm (Kaspersky)
  VirTool:Win32/DelfInject.gen!BH (Microsoft)
  Generic.dx!nns.trojan (McAfee)
Short description

Win32/Lethic.AA is a trojan that is used for spam distribution. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:

  • C:\­RECYCLER\­S-1-5-21-0243556031-888888379-781863308-1455\­psysnew.exe

The following file is dropped in the same folder:

  • desktop.ini

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Taskman" = "C:\­RECYCLER\­S-1-5-21-0243556031-888888379-781863308-1455\­psysnew.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "shell" = "C:\­RECYCLER\­S-1-5-21-0243556031-888888379-781863308-1455\­psysnew.exe"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "psysnew" = "C:\­RECYCLER\­S-1-5-21-0243556031-888888379-781863308-1455\­psysnew.exe"
Spam distribution

Win32/Lethic.AA is a trojan that is used for spam distribution.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (1) URLs.

Other information

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.