Trojan:Win32/Lethic.H is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer.
Installation
When executed, Trojan:Win32/Lethic.H copies itself to c:\recycler\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe.
The malware modifies the following registry entries to ensure that its copy executes at each Windows start:
Adds value: "Tnaww"
With data: "c:\recycler\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe"
To subkey: HKCU\Software\Microsoft\windows\currentversion\run
Adds value: "Taskman"
With data: "c:\recycler\s-1-5-21-0243556031-888888379-781863308-1413\syitm.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
The malware creates the following files on an affected computer:
The malware utilizes code injection in order to hinder detection and removal. When Trojan:Win32/Lethic.H executes, it may inject code into running processes, including the following, for example:
Payload
Contacts remote host
Trojan:Win32/Lethic.H may contact a remote host at dq.javagames7.com using port 8800. Commonly, malware may contact a remote host for the following purposes:
- To report a new infection to its author
- To receive configuration or other data
- To download and execute arbitrary files (including updates or additional malware)
- To receive instruction from a remote attacker
- To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 eba2ea05b2d6a7417983e0cfb29e416679812828.
