Home / malware W32.Lecna.E
First posted on 25 April 2015.
Source: SymantecAliases :
There are no other names known for W32.Lecna.E.
Explanation :
Once executed, the worm copies itself to the following locations:
%ProgramFiles%\Internet Exp1orer\IEXPLORE.EXE%SystemDrive%\$NtUninstallKB922582$\fltmkb.dll
The worm creates the following registry entries so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\"IEXPLORE.EXE" = "%ProgramFiles%\Internet Exp1orer\IEXPLORE.EXE"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"IEXPLORE.EXE" = "%ProgramFiles%\Internet Exp1orer\IEXPLORE.EXE"
The worm also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentNetInf\"pid" = [BINARY DATA]HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CurrentNetInf\"hostid" = [BINARY DATA]
The worm then connects to the following URLs using the "SJZJ (compatible; MSIE 6.0; Win32)" user-agent:
[http://]www.bluezarg.com/zk/bak[REMOVED][http://]www.bluezarg.com/zk/app[REMOVED][http://]www.bluezarg.com/zk/hostli[REMOVED][http://]www.bluezarg.com/zk/ver[REMOVED][http://]www.bluezarg.com/zk/exe[REMOVED]
The worm may then perform the following actions on the compromised computer:
Traverse files and foldersOpen a consoleShows processesCreate new processesEnd processesRename files
The worm then exploits the Microsoft Windows LSASS Buffer Overrun Vulnerability (CVE-2003-0533) and copies itself to shared folders on the compromised computer.Last update 25 April 2015