Global sites
SolutionsProductsPurchaseDownloadPartnersSupportCompanyThreat Center
Threat CenterEset Online scannerESET SysInspectorThreatSense® ThreatSense.Net® Security TipsThreat LevelThreat Dictionary
Threat Encyclopaedia
Update infoVirus Radar on your Website
Antivirus Software NOD32 > Threat Center > Threat Encyclopaedia > L

Threat Encyclopaedia

Print this pageSend

Win32/Lethic.AA

Aliases:P2P-Worm.Win32.Palevo.rmm (Kaspersky), VirTool:Win32/DelfInject.gen!BH (Microsoft), Generic.dx!nns trojan (McAfee) 
Type of infiltration:Trojan  
Size:43008 B 
Affected platforms:Microsoft Windows 
Signature database version:4860 (20100212) 

Short description

Win32/Lethic.AA is a trojan that is used for spam distribution. It can be controlled remotely.

Installation

When executed, the trojan copies itself into the following location:
  • C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe
The following file is dropped in the same folder:
  • desktop.ini
In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon]
    "Taskman" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon]
    "shell" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe"
  • [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Run]
    "psysnew" = "C:\RECYCLER\S-1-5-21-0243556031-888888379-781863308-1455\psysnew.exe"

Spam distribution

Win32/Lethic.AA is a trojan that is used for spam distribution.

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs.

Other information

The trojan creates and runs a new thread with its own program code within the following processes:
  • explorer.exe