1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Litagody Activity

System Infected: Trojan.Litagody Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects traffic generated by Trojan.Litagody which may compromise the target host.

Additional Information

This Trojan may be downloaded from malicious websites that exploit the following vulnerabilities:
Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID 30035)
Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution Vulnerability (BID 34169)
Adobe Acrobat, Reader, and Flash CVE-2010-3654 Remote Code Execution Vulnerability (BID 44504)
Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability (BID 37331)

When the Trojan is executed it creates the following mutex:
abc123333ppo

The Trojan then gathers information about the compromised computer, such as running processes and installed software.

It sends this information using a POST request to one of the following locations:
[http://]yu23tgjjfkk.com/sea[REMOVED]
[http://]67.210.105.166/sea[REMOVED]

The Trojan then downloads an update of itself as an encrypted DLL and registers it as a service.

Affected

  • Windows 2000, Windows Server 2003, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube