Technical Information
To ensure autorun and distribution
Creates or modifies the following files
- %ALLUSERSPROFILE%\start menu\programs\startup\network monitoring tray.lnk
Creates the following services
- [<HKLM>\System\CurrentControlSet\Services\LTService] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\LTService] 'ImagePath' = '"%WINDIR%\LTSvc\LTSVC.exe"'
- [<HKLM>\System\CurrentControlSet\Services\LTService] 'ImagePath' = '"%WINDIR%\LTSvc\LTSVC.exe" -sLTService'
- [<HKLM>\System\CurrentControlSet\Services\cpuz135] 'ImagePath' = '%WINDIR%\TEMP\cpuz135\cpuz135_x32.sys'
- [<HKLM>\System\CurrentControlSet\Services\LTSvcMon] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\LTSvcMon] 'ImagePath' = '"%WINDIR%\LTsvc\LTSvcMon.exe"'
Malicious functions
To bypass firewall, removes or modifies the following registry keys
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\LTSvc\LTSVC.exe' = '%WINDIR%\LTSvc\LTSVC.exe:*:Enabled:Ag...
- [<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] '%WINDIR%\LTSvc\LTTray.exe' = '%WINDIR%\LTSvc\LTTray.exe:*:Enabled:...
Executes the following
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42000 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42001 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42002 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42003 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 42004 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening udp 162 allowagent enable subnet
- '<SYSTEM32>\netsh.exe' firewall set portopening tcp 4999 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\netsh.exe' firewall set portopening tcp 4998 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\netsh.exe' firewall set portopening tcp 4997 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\netsh.exe' firewall set portopening tcp 4996 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\netsh.exe' firewall set allowedprogram %WINDIR%\LTsvc\LTSVC.exe AgentService ENABLE
- '<SYSTEM32>\netsh.exe' firewall set allowedprogram %WINDIR%\LTsvc\LTSVCmon.exe AgentMonitor ENABLE
- '<SYSTEM32>\netsh.exe' firewall set allowedprogram %WINDIR%\LTsvc\LTTray.exe AgentTray ENABLE
Modifies file system
Creates the following files
- <Current directory>\installlog.txt
- %WINDIR%\ltsvc\ltsvcmon.installstate
- %WINDIR%\ltsvc\ltsvcmon.installlog
- %WINDIR%\microsoft.net\framework\v2.0.50727\installutil.installlog
- %WINDIR%\ltsvc\ltsvcmon.exe
- %WINDIR%\ltsvc\lsr.exe
- %WINDIR%\ltsvc\ultravnc.ini
- %WINDIR%\ltsvc\labvnc.ini
- %WINDIR%\ltsvc\cad.exe
- %WINDIR%\ltsvc\schook.dll
- %WINDIR%\ltsvc\vnchooks.dll
- %WINDIR%\ltsvc\labvnc.exe
- %WINDIR%\ltsvc\sas.dll
- %WINDIR%\ltsvc\screenhooks.dll
- %WINDIR%\ltsvc\tvnserver.exe
- %WINDIR%\ltsvc\ps.exe
- %WINDIR%\temp\cpuz135\cpuz135_x32.sys
- %WINDIR%\ltsvc\nosensors
- %WINDIR%\ltsvc\wodvpn.dll
- %WINDIR%\ltsvc\cpuidsdk.dll
- %WINDIR%\ltsvc\lterrors.txt
- %WINDIR%\ltsvc\ltsvc.installstate
- %WINDIR%\ltsvc\ltsvc.installlog
- <Current directory>\installutil.installlog
- %WINDIR%\ltsvc\interfaces.dll
- %WINDIR%\ltsvc\lttray.exe
- %WINDIR%\ltsvc\ltsvc.exe
- %WINDIR%\ltsvc\labtech.ico
- %WINDIR%\ltsvc\ltsvcmon.txt
- %WINDIR%\temp\ltcache\updateswindowsupdateagent30-x86exe.exe.cache
Deletes the following files
- %WINDIR%\ltsvc\ltsvc.installlog
- %WINDIR%\ltsvc\lttray.exe
- %WINDIR%\ltsvc\interfaces.dll
- %WINDIR%\temp\cpuz135\cpuz135_x32.sys
- %WINDIR%\ltsvc\nosensors
- <SYSTEM32>\wbem\logs\framework.log
- %WINDIR%\temp\ltcache\updateswindowsupdateagent30-x86exe.exe.cache
Substitutes the following files
- %WINDIR%\ltsvc\lttray.exe
- %WINDIR%\ltsvc\interfaces.dll
Network activity
TCP
HTTP GET requests
- http://lt.###omatedit.com/labtech/updates/ForceUpdate.cst
- http://lt.###omatedit.com/LabTech/updates/WindowsUpdateAgent30-x86.exe
- http://lt.###omatedit.com/LabTech/agent.aspx
HTTP POST requests
- http://lt.###omatedit.com/LabTech/agent.aspx?0c##
UDP
- DNS ASK lt.###omatedit.com
- 'localhost':161
Miscellaneous
Creates and executes the following
- '%WINDIR%\ltsvc\ltsvc.exe' -sLTService
- '%WINDIR%\ltsvc\ltsvcmon.exe'
- '%WINDIR%\microsoft.net\framework\v2.0.50727\installutil.exe' /name=LTService /account=localsystem %WINDIR%\LTSvc\LTSVC.exe' (with hidden window)
Executes the following
- '%WINDIR%\microsoft.net\framework\v2.0.50727\installutil.exe' /name=LTService /account=localsystem %WINDIR%\LTSvc\LTSVC.exe
- '<SYSTEM32>\net.exe' Start LTSvcMon
- '<SYSTEM32>\cmd.exe' /c NET Start LTSvcMon
- '%WINDIR%\microsoft.net\framework\v2.0.50727\installutil.exe' /i %WINDIR%\LTsvc\LTSvcMon.exe
- '<SYSTEM32>\cmd.exe' /c netsh firewall set allowedprogram %Windir%\LTsvc\LTTray.exe AgentTray ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall set allowedprogram %Windir%\LTsvc\LTSVCmon.exe AgentMonitor ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall set allowedprogram %Windir%\LTsvc\LTSVC.exe AgentService ENABLE
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening tcp 4996 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening tcp 4997 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening tcp 4998 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening tcp 4999 allowagent enable custom 127.0.0.1,localsubnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 162 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42004 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42003 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42002 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42001 allowagent enable subnet
- '<SYSTEM32>\cmd.exe' /c netsh firewall set portopening udp 42000 allowagent enable subnet
- '<SYSTEM32>\net1.exe' Stop PSEXESVC
- '<SYSTEM32>\regsvr32.exe' /s "%WINDIR%\LTsvc\wodVPN.dll"
- '<SYSTEM32>\verclsid.exe' /C {B5A7F190-DDA6-4420-B3BA-52453494E6CD} /I {00000000-0000-0000-C000-000000000046} /X 0x401
- '<SYSTEM32>\net1.exe' Start LTSvcMon
- '<SYSTEM32>\net1.exe' USER
