Threat Encyclopedia

Lethic

Brief

Lethic is a backdoor trojan that connects to a Command & Control server in order to provide access to the compromised computer. Lethic is primarily used to send spam messages.

Symptoms

Lethic may attempt to make connections to remote computers on ports (typically TCP) 1430, 8090 or other ports.

Lethic may drop the following files:

  • shelldm.exe
  • xcllsx.exe

Lethic may make the following registry changes:

  • Modified Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
  • Added value: 'Taskman'
  • Added data: Path to malware and filename of malware
  • Modified Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
  • Added value: 'Shell'
  • Added data: explorer.exe, path to malware and filename of malware
  • Modified Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • Added value: value
  • Added data: Path to malware and filename of malware

Analysis

Lethic attempts to connect to a remote C&C server on various ports. Once it has established a connection it may then allow remote access or complete control of the infected system. Lethic typically uses infected machines in order to send spam.

Instructions

It is not recommended that any attempts to remove this family of malware be performed manually. Fortinet recommends running a full scan of your system using FortiClient Endpoint Protection to remove this threat.