Follow:

You have been re-routed to the Trojan:Win32/Lethic.C write up because Trojan%3aWin32%2fLethic.C has been renamed to Trojan:Win32/Lethic.C
 

Trojan:Win32/Lethic.C


TrojanProxy:Win32/Slenugga.A is a trojan that contacts a remote server, which may request it to proxy malicious traffic to other systems. It may be downloaded and installed by variants of the Win32/Slenfbot family.


What to do now

To detect and remove this threat and other malicious software that may be installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:
 
 
For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

TrojanProxy:Win32/Slenugga.A is a trojan that contacts a remote server, which may request it to proxy malicious traffic to other systems. It may be downloaded and installed by variants of the Win32/Slenfbot family.
Installation
TrojanProxy:Win32/Slenugga.A may be downloaded and installed by variants of the Win32/Slenfbot family.
 
When first run, TrojanProxy:Win32/Slenugga.A  typically copies itself as a read-only, hidden, system file to a location such as C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1859\ls888.exe. It also creates a Desktop.ini file in the same directory, which has the effect of making the directory appear in Windows Explorer as a Recycle Bin.
 
It also creates a registry entry such as the following to ensure that the malware is run upon system startup:
 
Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: 12CFG214-K641-24SF-N85P
With data: C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1859\ls888.exe
 
Examples of combinations of registry value names and pathnames of the copied malware include the following: 
Registry Value Name
Pathname of Malware (under C:\RECYCLER\)
12CFG214-K641-24SF-N85P 
s-1-5-21-0243936033-3052116371-381863308-1859\ls888.exe
12CFG515-K641-55SF-N66P 
s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
12CFG214-K641-12SF-N85P 
s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
12CFG914-K641-26SF-N32P 
s-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
13CFG914-K641-26SF-N31P
s-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe

It then injects its payload code into the explorer.exe process.
 
It may use a mutex such as “silinuggahxx4578” or “ajubsst” to ensure that only one copy of the malware can run at any given time.
Payload
Proxies traffic
The malware periodically connects on port 1199 to a location such as newss.alwaysproxy8.info. The remote host may respond with details of other systems to be contacted and the traffic that should be sent to them. It then connects to these systems and sends the traffic as requested. It does not listen for any incoming connections.
 
The server may also request that the malware delete itself from the system.
 
Examples of servers used in this manner in the wild include the following:
  • newss.alwaysproxy8.info
  • newss.alwaysproxy.info
  • orts.alwaysproxy4.info
  • p34s3.hmarhelo.co
 
Analysis by David Wood

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The presence of any the following files (or similar):
    C:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1859\ls888.exe
    C:\RECYCLER\s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
    C:\RECYCLER\s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
    C:\RECYCLER\s-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
    C:\RECYCLER\s-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe
  • The presence of any the following registry modifications (or similar):
    Under key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Adds value: 12CFG214-K641-24SF-N85P
    With data: C:\RECYCLER\S-1-5-21-0243936033-3052116371-381863308-1859\ls888.exe
    Adds value: 12CFG515-K641-55SF-N66P
    With data: s-1-5-21-0243636035-3055115376-381863306-1556\pqlmq.exe
    Adds value: 12CFG214-K641-12SF-N85P
    With data: s-1-5-21-0243936033-3052116371-381863308-1811\vsbntlo.exe
    Adds value: 12CFG914-K641-26SF-N32P
    With data: s-1-5-21-0243336031-4052116379-881863308-0851\vse432.exe
    Adds value: 13CFG914-K641-26SF-N31P
    With data: s-1-5-21-0243336031-4052116379-881863308-0950\vsse33.exe

Prevention


Alert level: Severe
First detected by definition: 1.49.2684.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Jan 28, 2009
This entry was first published on: Oct 16, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win-Trojan/Buzus.45056.AZ (AhnLab)
  • Trojan.Win32.Crypt.bgj (Kaspersky)
  • W32/DLoader.ZGRK (Norman)
  • Win32/Agent.HXW (ESET)
  • Win32/Slenugga.I (CA)