Technical Information
To ensure autorun and distribution:
Creates or modifies the following files:
- %ALLUSERSPROFILE%\Start Menu\Programs\Startup\Network Monitoring Tray.lnk
Creates the following services:
- [<HKLM>\SYSTEM\ControlSet001\Services\LTService] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\LTService] 'ImagePath' = '"%WINDIR%\LTSvc\LTSVC.exe"'
- [<HKLM>\SYSTEM\ControlSet001\Services\LTService] 'ImagePath' = '"%WINDIR%\LTSvc\LTSVC.exe" -sLTService'
- [<HKLM>\SYSTEM\ControlSet001\Services\cpuz135] 'ImagePath' = '%WINDIR%\TEMP\cpuz135\cpuz135_x32.sys'
- [<HKLM>\SYSTEM\ControlSet001\Services\LTSvcMon] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\LTSvcMon] 'ImagePath' = '"%WINDIR%\LTsvc\LTSvcMon.exe"'
Malicious functions:
To bypass firewall, removes or modifies the following registry keys:
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\LTSvc\LTSVC.exe' = '%WINDIR%\LTSvc\LTSVC.exe:*:Enabled:AgentS...
- [<HKLM>\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\LTSvc\LTTray.exe' = '%WINDIR%\LTSvc\LTTray.exe:*:Enabled:Agen...
Executes the following:
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42000 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42001 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42002 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42003 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42004 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 162 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening tcp 4999 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\netsh.exe' firewall set portopening tcp 4998 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\netsh.exe' firewall set portopening tcp 4997 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\netsh.exe' firewall set portopening tcp 4996 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\netsh.exe' firewall set allowedprogram %WINDIR%\LTsvc\LTSVC.exe AgentService ENABLE
- '<SYSTEM32>\netsh.exe' firewall set allowedprogram %WINDIR%\LTsvc\LTSVCmon.exe AgentMonitor ENABLE
- '<SYSTEM32>\netsh.exe' firewall set allowedprogram %WINDIR%\LTsvc\LTTray.exe AgentTray ENABLE
Modifies file system:
Creates the following files:
- %WINDIR%\LTSvc\LabTech.ico
- %WINDIR%\LTSvc\LTSvcMon.InstallState
- %WINDIR%\LTSvc\LTSVCMon.txt
- <SYSTEM32>\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
- <SYSTEM32>\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
- <SYSTEM32>\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
- <SYSTEM32>\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
- %WINDIR%\Temp\Cab1.tmp
- %WINDIR%\Temp\Cab3.tmp
- %WINDIR%\Temp\Cab5.tmp
- %WINDIR%\Temp\Cab7.tmp
- %WINDIR%\Temp\Cab9.tmp
- %WINDIR%\Temp\CabB.tmp
- %TEMP%\CabD.tmp
- %TEMP%\CabF.tmp
- %WINDIR%\Temp\Cab11.tmp
- %TEMP%\Cab13.tmp
- %WINDIR%\Temp\Cab15.tmp
- %TEMP%\Cab17.tmp
- %WINDIR%\Temp\Cab19.tmp
- %TEMP%\Cab1B.tmp
- %TEMP%\Cab1D.tmp
- %WINDIR%\LTSvc\LTSvcMon.InstallLog
- %TEMP%\Cab1F.tmp
- %WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.InstallLog
- %WINDIR%\LTSvc\LSR.exe
- %WINDIR%\LTSvc\LTSVC.exe
- %WINDIR%\LTSvc\LTTray.exe
- %WINDIR%\LTSvc\Interfaces.dll
- <Current directory>\InstallUtil.InstallLog
- %WINDIR%\LTSvc\LTSVC.InstallLog
- %WINDIR%\LTSvc\LTSVC.InstallState
- %WINDIR%\LTSvc\LTErrors.txt
- %WINDIR%\LTSvc\cpuidsdk.dll
- %WINDIR%\LTSvc\wodVPN.dll
- %WINDIR%\LTSvc\NoSensors
- %WINDIR%\Temp\cpuz135\cpuz135_x32.sys
- %WINDIR%\LTSvc\PS.exe
- %WINDIR%\LTSvc\tvnserver.exe
- %WINDIR%\LTSvc\screenhooks.dll
- %WINDIR%\LTSvc\sas.dll
- %WINDIR%\LTSvc\labvnc.exe
- %WINDIR%\LTSvc\vnchooks.dll
- %WINDIR%\LTSvc\SCHook.dll
- %WINDIR%\LTSvc\cad.exe
- %WINDIR%\LTSvc\labvnc.ini
- %WINDIR%\LTSvc\ultravnc.ini
- %WINDIR%\LTSvc\LTSvcMon.exe
- %TEMP%\LTErrors.txt
Deletes the following files:
- %WINDIR%\LTSvc\LTSVC.InstallLog
- %TEMP%\Cab1B.tmp
- %WINDIR%\Temp\Cab19.tmp
- %TEMP%\Cab17.tmp
- %TEMP%\Cab13.tmp
- %WINDIR%\Temp\Cab15.tmp
- %WINDIR%\Temp\Cab11.tmp
- %TEMP%\CabF.tmp
- %TEMP%\CabD.tmp
- %WINDIR%\Temp\CabB.tmp
- %WINDIR%\Temp\Cab9.tmp
- %WINDIR%\Temp\Cab7.tmp
- %WINDIR%\Temp\Cab5.tmp
- %WINDIR%\Temp\Cab3.tmp
- %WINDIR%\Temp\Cab1.tmp
- <SYSTEM32>\wbem\Logs\FrameWork.log
- %WINDIR%\LTSvc\NoSensors
- %WINDIR%\Temp\cpuz135\cpuz135_x32.sys
- %WINDIR%\LTSvc\Interfaces.dll
- %WINDIR%\LTSvc\LTTray.exe
- %TEMP%\Cab1D.tmp
- %TEMP%\Cab1F.tmp
Substitutes the following files:
- %WINDIR%\LTSvc\LTTray.exe
- %WINDIR%\LTSvc\Interfaces.dll
Network activity:
Connects to:
- 'wp#d':80
- 'as####.##technologycenter.com':443
- 'download.windowsupdate.com':80
- 'localhost':42001
- 'localhost':42002
- 'localhost':42003
- 'localhost':42004
- 'localhost':42005
- 'localhost':42006
- 'localhost':42000
TCP:
HTTP GET requests:
- http://11#.#11.111.1/wpad.dat via wp#d
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt via download.windowsupdate.com
- http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab via download.windowsupdate.com
UDP:
- DNS ASK wp#d
- DNS ASK as####.##technologycenter.com
- DNS ASK www.download.windowsupdate.com
- 'localhost':161
Miscellaneous:
Creates and executes the following:
- '%WINDIR%\LTSvc\LTSVC.exe' -sLTService
- '%WINDIR%\LTSvc\LTSvcMon.exe'
Executes the following:
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe' /name=LTService /account=localsystem %WINDIR%\LTSvc\LTSVC.exe
- '<SYSTEM32>\cmd.exe' /c NET Start LTSvcMon
- '%WINDIR%\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe' /i %WINDIR%\LTsvc\LTSvcMon.exe
- '<SYSTEM32>\cmd.exe' /c netsh firewall set allowedprogram %Windir%\LTsvc\LTTray.exe AgentTray ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall set allowedprogram %Windir%\LTsvc\LTSVCmon.exe AgentMonitor ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall set allowedprogram %Windir%\LTsvc\LTSVC.exe AgentService ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening tcp 4996 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening tcp 4997 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening tcp 4998 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\net.exe' Start LTSvcMon
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening tcp 4999 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42004 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42003 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42002 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42001 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42000 allowagent enable subnet
- '<SYSTEM32>\net1.exe' Stop PSEXESVC
- '<SYSTEM32>\regsvr32.exe' /s "%WINDIR%\LTsvc\wodVPN.dll"
- '<SYSTEM32>\route.exe' print
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 162 allowagent enable subnet
- '<SYSTEM32>\net1.exe' Start LTSvcMon
