Installation
Variants of Win32/Lethic may drop copies of itself with different file names in the Windows system folder, for example:
It creates entries in the system registry to ensure that its dropped copies run every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Taskman"
With data: "<malware path and file name>"
In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,<malware path and file name>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"
For example:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zmmclr"
With data: "<system folder>\xcllsx.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "wesspell"
With data: "<system folder>\shelldm.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "qscmdll"
With data: "<system folder>\ssmcdsw.exe"
It also injects its code into the explorer.exe process.
Payload
Connects to a remote server
Win32/Lethic attempts to establish a connection to remote servers through various TCP ports. For example:
- Attempts connecting to 'lycomputing.com' via TCP port 1430
- Attempts connecting to 'nuygtfcwq.com' via TCP port 8900
- Attempts connecting to 'dqglobex.com' via TCP port 8090
Some of the remote sites it attempts to connect to are:
- b1ijh7hifd.com
- btceswqdw.com
- bydvwqcdw.com
- lxforbug.com
- dqglobex.com
- iamnothere.cn
- lycomputing.com
- miniknfdw.com
- mojujfdhew.com
- nhi8ho9lbnw.com
- nuygtfcwq.com
- sometimesgood.com
- uckybusy.com
- verywellhere.cn
Once connected, it can give a malicious hacker remote access and control of your PC.
Analysis by Scott Molenkamp
