Follow:

 

Win32/Lethic


Microsoft security software detects and removes this threat.
 
This malware family can give a malicious hacker access and control of your PC.
 


What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation
Variants of Win32/Lethic may drop copies of itself with different file names in the Windows system folder, for example:
 
 
It creates entries in the system registry to ensure that its dropped copies run every time Windows starts:
 
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Taskman"
With data: "<malware path and file name>"
 
In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,<malware path and file name>"
 
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"
For example:
 
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "zmmclr"
With data: "<system folder>\xcllsx.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "wesspell"
With data: "<system folder>\shelldm.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "qscmdll"
With data: "<system folder>\ssmcdsw.exe"
 
It also injects its code into the explorer.exe process.
Payload
Connects to a remote server
 
Win32/Lethic attempts to establish a connection to remote servers through various TCP ports. For example:
 
  • Attempts connecting to 'lycomputing.com' via TCP port 1430
  • Attempts connecting to 'nuygtfcwq.com' via TCP port 8900
  • Attempts connecting to 'dqglobex.com' via TCP port 8090
 
Some of the remote sites it attempts to connect to are:
  • b1ijh7hifd.com
  • btceswqdw.com
  • bydvwqcdw.com
  • lxforbug.com
  • dqglobex.com
  • iamnothere.cn
  • lycomputing.com
  • miniknfdw.com
  • mojujfdhew.com
  • nhi8ho9lbnw.com
  • nuygtfcwq.com
  • sometimesgood.com
  • uckybusy.com
  • verywellhere.cn
Once connected, it can give a malicious hacker remote access and control of your PC.
 
Analysis by Scott Molenkamp

Symptoms

The following could indicate that you have this threat on your PC:

  • You have these files:

    <system folder>\shelldm.exe
    <system folder>\xcllsx.exe
  • The presence of the registry modifications such as the following examples:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Taskman"
With data: "<malware path and file name>"

In subkey: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "explorer.exe,<malware path and file name>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "<value>"
With data: "<malware path and file name>"
  • Open connections with unfamiliar hosts via TCP ports 1430, 8090

Prevention


Alert level: Severe
This entry was first published on: Jan 11, 2011
This entry was updated on: Sep 15, 2014

This threat is also detected as:
  • Scar (McAfee)
  • TROJ_LETHIC (Trend Micro)
  • Packed.Win32.Krap.x (Kaspersky)
  • Trojan.Lethic (VirusBuster)
  • Win32/Lethic (ESET)
  • Trojan.CryptRedol.Gen.2 (BitDefender)
  • Trojan-Proxy.Win32.Spampos (Kaspersky)