Home / malware TrojanDropper:Win32/Letrofen.A
First posted on 19 February 2009.
Source: SecurityHomeAliases :
There are no other names known for TrojanDropper:Win32/Letrofen.A.
Explanation :
TrojanDropper:Win32/Letrofen.A is a trojan that drops Backdoor:Win32/Letrofen.A and may arrive in the system when a user browses certain malicious sites.
Symptoms
System ChangesThe following system changes may indicate the presence of this malware:The presence of the following file:
<system folder>winnet.dllThe presence of the following registry value and data:
Value: "DllName"
With data: "<system folder>winnet.dll"
In subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySystem
TrojanDropper:Win32/Letrofen.A is a trojan that drops Backdoor:Win32/Letrofen.A and may arrive in the system when a user browses certain malicious sites.
Installation
TrojanDropper:Win32/Letrofen.A may arrive in the system when a user browses certain malicious sites containing an exploit identified as Exploit:JS/Mult.BF. When a webpage that includes Exploit:JS/Mult.BF is loaded, the shellcode, which downloads this trojan dropper, is executed in the system.
Payload
Drops Other MalwareWhen TrojanDropper:Win32/Letrofen.A is executed by the exploit, it drops a backdoor trojan identified as Backdoor:Win32/Letrofen.A as the following file: <system folder>winnet.dll Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32. It modifies the registry so that the backdoor is executed at each Windows start. Adds value: "DllName"With data: "<system folder>winnet.dll"To subkey: HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotifySystem
Analysis by Patrick Nolan and Jireh SanicoLast update 19 February 2009
