Win32/Lethic is a trojan that communicates with a remote server to distribute spam. Variants of Lethic install executable files with varied file names such as “shelldm.exe” or “xcllsx.exe”. The malware loads as a process when Windows starts.
The trojan establishes a connection to remote servers using varied TCP ports, such as 1430, 8900, 8090 and so on. It communicates with servers with names such as “dqglobex.com”, “verywellhere.cn”, “iamnothere.cn” among others. Once connected, the trojan allows unauthorized use of the affected computer, including distributing spam.
Forefront Online Protection for Exchange (FOPE) consists of layered technologies to actively help protect businesses’ inbound and outbound e-mail from spam, viruses, phishing scams, and e-mail policy violations.
Image 1 - Forefront Online Protection for Exchange diagram
According to FOPE spam statistics, Win32/Lethic produces a high volume of spam and thus has been selected for addition this month to the Microsoft Malware Removal Tool (MSRT). Win32/Lethic is not the biggest botnet in terms of IP addresses, however, it is known for sending many messages into a single envelope.
Image 2 – Win32/Rustock spam distribution model
Image 3 – Win32/Lethic spam distribution model
You can do more to protect your Internet experience by running a full AV solution, such as Microsoft Security Essentials, for real-time protection. Download and install Microsoft Security Essentials from http://www.microsoft.com/security_essentials/.
Patrick Nolan, MMPC