|
|
I-Worm.Lentin. Viruses Information
| Name: |
I-Worm.Lentin. |
| Category: |
Viruses |
| Description:
|
Details
I-Worm.Lentin.a
(aka Yaha)
This is the worm virus spreading via the Internet attached to infected emails. The worm itself is a Windows PE EXE file about 21Kb of length (compressed by UPX?, decompressed size - about 72Kb), written in Microsoft Visual C++.
The infected messages have the "valentin.scr" attached file (worm itself) and one of two variants of subject and message body:
Subject 1:
Melt the Heart of your Valentine with this beautiful Screen saver
Body 1:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.
***********************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com * To remove yourself from this mailing list, point your browser to: http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe". ORall
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
Second variant of infected messages looks like previous forwarded first variant:
Subject 2:
Fw: Melt the Heart of your Valentine with this beautiful Screen saver
Body 2:
Hi
Check this screen saver
Happy Valentines day
See u
----- Original Message -----
From: "Screen Saver"
To:
Sent: Friday, February 11, 2002 8:38 PM
Subject: Melt the Heart of your Valentine with this beautiful Screen saver <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.
***********************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com * To remove yourself from this mailing list, point your browser to: http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe". OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
where %EmailAddress% is user's email address The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload.
Installing
While installing the worm copies itself to the C:RECYCLED directory with the MSMDM.EXE and MSSCRA.EXE names and registers first file in system registry auto-run key: HKCRexefileshellopencommand c:recycledmsmdm.exe %1 %* The worm then hides its activity with fake "Ur My Valentine.." texts radomly placed on the screen, and then resizes windows on desktop.
In some cases it also displays fake error message:
Config
No Configuration is availabile Now
Enjoy !!!
Spreading
To send infected messages the worm uses direct connection to SMTP server.
To get victim emails the worm looks for them in Windows Address Book, MSN and .NET messenger cache folders and HTM(L) files.
While looking for email addresses the worm creates two its data files in Windows directory: "screendback.dll" and "www.dll".
Other versions
Lentin.g , aka Yaha.e [Analysis: Alexey Podrezov, F-Secure Corp., June 2002]
The worm has size 27ë, (packed with UPX). Worm's files have random date in the end. The worm has many encrypted strings.
Installation
The worm copies itself with a random name to the directory C:Recycler or C:Recycled. Than it modifies default EXE file startup key: HKCUexefileshellopencommand It will start for each execute of EXE file. If worm starts from the file MSTASKMON.EXE, it modifies auto-run section in the file WIN.INI.
Replication: e-mail
The subject of the infected message is selected from the following list.
It also can contains the string "Fw:".
searching for true Love
you care ur friend
Who is ur Best Friend make ur friend happy True Love
Dont wait for long time Free Screen saver Friendship Screen saver Looking for Friendship Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worryy
Ur My Best Friend
Say 'I Like You' To ur friend Easy Way to revel ur love Wowwwwwwwwwww check it
Send This to everybody u like Enjoy Romantic life
Let's Dance and forget pains war Againest Loneliness
How sweet this Screen saver Let's Laugh
One Way to Love
Learn How To Love
Are you looking for Love love speaks from the heart Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship Check ur friends Circle Friendship how are you
U r the person?
U realy Want this
Romantic humour NewWonderfool excite Cool charming Idiot Nice Bullsh*t One Funny Great LoveGangs Shaking powful Joke Interesting
Screensaver Friendship Love relations stuff
to ur friends to ur lovers for you to see to check to watch to enjoy to share
:-)
!
!!
The body of the infected messages can contains the following strings:
Check the attachment
See the attachement
Enjoy the attachement
More details attached
Hi
Check the Attachement ..
See u
Hi
Check the Attachement ..
Attached one Gift for u..
wOW CHECK THIS
Then there can follow a fake undeliverable message report or a fake screensaver subscription message. In case the worm sends a fake bounced message, it looks like that:
This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: %EmailAddress%
For further assistance, please contact %EmailAddress%
If you do so, please include this problem report. You can delete your own text from the message returned below.
Copy of your message, including all the headers is attached
Then there goes an EML file attachment with random name that contains the worm's sample and usually IFrame exploit to make the attachment run automatically on unpatched e-mail clients. In case the worm spreads itself with a fake screensaver subscription message, it looks like that:
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.
***********************************************************
Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends.
* To remove yourself from this mailing list, point your browser to:
* Enter your email address (%EmailAddress%) in the field
provided and click "Unsubscribe".
* Reply to this message with the word "REMOVE" in the subject line.
This message was sent to address %EmailAddress%
X-PMG-Recipient: %EmailAddress%
<>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>>
where %EmailAddress% is user's email address
Attached file name with SCR extension are:
screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullshitscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
f*cker
The worm also spreads itself as an attachment with double extension and with one of the following names or with a random name:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love
The first extension of the attachment can be:
doc mp3 xls wav txt jpg gif dat bmp htm mpg mdb zip
The last extension can be:
pif bat scr
The worm replicates itself througth local network. One of the threads looks for open shares and searches directories with the following names:
WINXP WINME WIN WINNT WIN95 WIN98 WINDOWS
When the worm finds the file WIN.INI. If this file is found the worm copies itself to the destanation directory with the name: MSTASKMON.EXE and modifies the file WIN.INI on remote system to start itself there after next reboot. The file WIN.INI works under Windows 9x only and it doesn't work under NT-based systems.
The worm scans and terminates the processes that have the following strings in their names:
PCCIOMON
PCCMAIN
POP3TRAP
WEBTRAP
AVCONSOL
AVSYNMGR
VSHWIN32
VSSTAT
NAVAPW32
NAVW32
NMAIN
LUALL
LUCOMSERVER
IAMAPP
ATRACK
NISSERV
RESCUE32
SYMPROXYSVC
NISUM
NAVAPSVC
NAVLU32
NAVRUNR
NAVWNT
PVIEW95
F-STOPW
F-PROT95
PCCWIN98
IOMON98
FP-WIN
NVC95
NORTON
MCAFEE
ANTIVIR
WEBSCANX
SAFEWEB
ICMON
CFINET
CFINET32
AVP.EXE
LOCKDOWN2000
AVP32
ZONEALARM
WINK
SIRC32
SCAM32
The worm has different process killing routines for different types of operating systems. It scans memory regulary and doesn't alow to start in infected system. The worm also looks for and terminates the Windows Task Manager process.
Payloads
When the worm's file is started and its file has SCR extension, it may display a videoeffect.
The worm creates the TXT file with random name in Windows directory with the following text:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
iNDian sNakes pResents yAha.E
iNDian hACkers,Vxers c0me & w0Rk wITh uS & f*Ck tHE GFORCE-pAK sh*tes
bY
sNAkeeYes,c0Bra
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 73 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win32.Hidra - 43 visits
Win16.Klon.1177 - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
I-Worm.Fizze
Xav.Quevedo.28
KGK.102
Weak.125
TaiPan.43
Sparkling.70
Sopron.93
Bloodlust.30
Trojan.Win32.Xombe.
Viva.69
|
|
