Follow:

You have been re-routed to the Trojan:Win32/Lethic.B write up because Trojan%3aWin32%2fLethic.B has been renamed to Trojan:Win32/Lethic.B
 

Trojan:Win32/Lethic.B


Microsoft security software detects and removes this threat.

The threat is a trojan that connects to remote servers, and may download other malware.

Find out ways that malware can get on your PC.  

 



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
This threat may drop copies of itself with different file names in the Windows system folder, for example:
 
  • <system folder>\shelldm.exe
  • <system folder>\xcllsx.exe
 
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
 
It creates entries in the system registry to ensure that its dropped copies run every time Windows starts:
 
Adds value: "Taskman"
With data: "<malware path and file name>"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
Adds value: "Shell"
With data: "explorer.exe,<malware path and file name>"
To subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
 
Adds value: "<value>"
With data: "<malware path and file name>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
For example:
 
Adds value: "zmmclr"
With data: "<system folder>\xcllsx.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
Adds value: "wesspell"
With data: "<system folder>\shelldm.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 
It injects its code into the 'explorer.exe' process.
Payload
Connects to a remote server
The threat attempts to establish a connection to remote servers through various TCP ports. For example:
 
Attempts connecting to 'lycomputing.com' via TCP port 1430
Attempts connecting to 'nuygtfcwq.com' via TCP port 8900
 
Some of the remote sites it attempts to connect to are:
 
b1ijh7hifd.com
btceswqdw.com
lxforbug.com
lycomputing.com
miniknfdw.com
mojujfdhew.com
nhi8ho9lbnw.com
nuygtfcwq.com
sometimesgood.com
uckybusy.com
 
Once connected, it may allow remote access and control of an affected machine.
 
Analysis by Elda Dimakiling

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of the following files:
    <system folder>\shelldm.exe
    <system folder>\xcllsx.exe
  • The presence of the following registry modifications:
    Adds value: "zmmclr"
    With data: "<system folder>\xcllsx.exe"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Adds value: "wesspell"
    With data: "<system folder>\shelldm.exe"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Prevention


Alert level: Severe
First detected by definition: 1.65.972.0
Latest detected by definition: 1.185.1660.0 and higher
First detected on: Sep 21, 2009
This entry was first published on: Oct 06, 2009
This entry was updated on: May 10, 2014

This threat is also detected as:
  • Packed.Win32.Krap.x (Kaspersky)
  • Trojan.Lethic.B (VirusBuster)
  • Win32/Lethic.AA (ESET)
  • Trj/Zlob.KH (Panda)
  • Trojan.CryptRedol.Gen.2 (BitDefender)