MSRT January ‘11: Win32/Lethic

Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as “shelldm.exe” or “xcllsx.exe”. The malware loads as a process when Windows starts.

The trojan establishes a connection to remote servers using varied TCP ports, such as 1430, 8900, 8090 and so on. It communicates with servers with names such as “”, “”, “” among others. Once connected, the trojan allows unauthorized use of the affected computer, including distributing spam.

Forefront Online Protection for Exchange (FOPE) consists of layered technologies to actively help protect businesses’ inbound and outbound e-mail from spam, viruses, phishing scams, and e-mail policy violations.

Forefront Online Protection for Exchange diagram

Image 1 - Forefront Online Protection for Exchange diagram

According to FOPE spam statistics, Win32/Lethic produces a high volume of spam and thus has been selected for addition this month to the Microsoft Malware Removal Tool (MSRT). Win32/Lethic is not the biggest botnet in terms of IP addresses, however, it is known for sending many messages into a single envelope.

Below, you can see the difference in spam distribution models between two malware, Win32/Rustock and Win32/Lethic. Notice that in Rustock, the spam message is a 1:1 ratio where Lethic is 1:many.


Win32/Rustock spam distribution model

Image 2 – Win32/Rustock spam distribution model



Win32/Lethic spam distribution model

Image 3 – Win32/Lethic spam distribution model


You can do more to protect your Internet experience by running a full AV solution, such as Microsoft Security Essentials, for real-time protection. Download and install Microsoft Security Essentials from


Patrick Nolan, MMPC

Comments (0)

Skip to main content