Lecna is a backdoor that allows remote access to infected machine.
It can also utilize rootkit techniques to hide its actions. It may
be installed via Microsoft Jet Database file using a vulnerability
in msjet40.dll.
Installation to system
When run, the backdoor copies itself under %SysDir% directory
using the name 'iexplore.exe'. Then it creates a mutex named
'MicrosoftZj' for ensuring it will not run multiple copies of
the backdoor at the same time. It installs the following registry
key to make sure it will be executed next time the system is started:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"iexplore.exe" = "iexplore.exe"
The backdoor also creates the following registry keys:
[HKLM\Software\Microsoft\CurrentNetInf]
"pid" = %ProcessId%
"hostid" = %HostId%
%ProcessId% and %HostId% are random values used to identify the
backdoor.
If the backdoor is running under Windows NT-based system, it drops
and activates a file 'USBTest.sys'. This file is a rootkit component.
See more information on section 'Rootkit'. If the system is Win9x-based,
the worm tries to hide the process by issuing Win32 API call
'RegisterServiceProcess'.
The backdoor may also leave the following files on infected system:
%WinDir%\netsvc.exe
%SysDir%\cmdLine.exe
Filename 'netsvc.exe' is used by the backdoor when downloading and
executing additional files (see the section Backdoor below) and
'cmdLine.exe' is used in uninstallation. It is a simple executable
that deletes a file given as command line argument. It is embedded
in the backdoors body.
Backdoor
After the installation, Lecna starts to communicate with the server
part using specially crafted HTTP queries. If needed, it can also
make a use of HTTP proxy settings it finds in the registry. The server
can instruct the backdoor to execute the following actions:
Basic file operations (copy, delete, rename, find, execute)
Download/upload files
Process operations (list, kill)
Spawn interactive command shell
Registry operations (create/delete keys/values)
Enumerate shares on remote computers
Uninstall the backdoor
The backdoor may also download and execute additional components
from several remote servers.
Rootkit
Lecna carries an encrypted driver file 'USBTest.sys' in its body
which it drops in directory '%SysDir%\drivers'. The driver is
activated using a standard Windows Service Manager API. This
driver implements the following rootkit functionality:
Hide network connections
Hide processes
Hide files and directories
Hide registry entries
When the driver is activate, the backdoor instructs it to hide
its file, process and registry entry, as well as connections
to servers it uses for communication.
[FSAV_Database_Version]
Version=2005-04-21_02
Technical Details:
Jarkko Turkulainen; Apr 21th, 2005;
F-Secure Corporation
