I-Worm.Lentin , aka Yaha This is the worm virus spreading via the Internet being attached to infected emails. The worm itself is a Windows PE EXE file about 21Kb of length (compressed by UPX?, decompressed size - about 72Kb), written in Microsoft Visual C++. The infected messages have the "valentin.scr" attached file (worm itself) and one of two variants of subject and message body: Subject 1: Melt the Heart of your Valentine with this beautiful Screen saver Body 1: <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com * To remove yourself from this mailing list, point your browser to: http://screensaverin.com/remove?freescreensaver * Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe". OR... * Reply to this message with the word "remove" in the subjt line. This message was sent to address %EmailAddress% X-PMG-Recipient: <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> Second variant of infected messages looks like previous forwarded first variant: Subject 2: Fw: Melt the Heart of your Valentine with this beautiful Screen saver Body 2: Hi Check this screen saver Happy Valentines day See u ----- Original Message ----- From: "Screen Saver" To: Sent: Friday, February 11, 2002 8:38 PM Subject: Melt the Heart of your Valentine with this beautiful Screen saver <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com * To remove yourself from this mailing list, point your browser to: http://screensaverin.com/remove?freescreensaver * Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe". OR... * Reply to this message with the word "remove" in the subjt line. This message was sent to address %EmailAddress% X-PMG-Recipient: <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> where %EmailAddress% is user's email address The worm activates from infected email only in case a user clicks on attached file. The worm then installs itself to the system, runs spreading routine and payload. Installing While installing the worm copies itself to the C:\RECYCLED directory with the MSMDM.EXE and MSSCRA.EXE names and registers first file in system registry auto-run key: HKCR\exefile\shell\open\command c:\recycled\msmdm.exe %1 %* The worm then hides its activity with fake "Ur My Valentine.." texts radomly placed on the screen, and then resizes windows on desktop. In some cases it also displays fake error message: Config No Configuration is availabile Now Enjoy !!! Spreading To send infected messages the worm uses direct connection to SMTP server. To get victim emails the worm looks for them in Windows Address Book, MSN and .NET messenger cache folders and HTM(L) files. While looking for email addresses the worm creates two its data files in Windows directory: "screendback.dll" and "www.dll". Other versions Lentin.g , aka Yaha.e [Analysis: Alexey Podrezov, F-Secure Corp., June 2002] The worm has size 27ë, (packed with UPX). Worm's files have random date in the end. The worm has many encrypted strings. Installation The worm copies itself with a random name to the directory C:\Recycler or C:\Recycled. Than it modifies default EXE file startup key: HKCU\exefile\shell\open\command It will start for each execute of EXE file. If worm starts from the file MSTASKMON.EXE, it modifies auto-run section in the file WIN.INI. Replication: e-mail The subject of the infected message is selected from the following list. It also can contains the string "Fw:". searching for true Love you care ur friend Who is ur Best Friend make ur friend happy True Love Dont wait for long time Free Screen saver Friendship Screen saver Looking for Friendship Need a friend? Find a good friend Best Friends I am For u Life for enjoyment Nothink to worryy Ur My Best Friend Say 'I Like You' To ur friend Easy Way to revel ur love Wowwwwwwwwwww check it Send This to everybody u like Enjoy Romantic life Let's Dance and forget pains war Againest Loneliness How sweet this Screen saver Let's Laugh One Way to Love Learn How To Love Are you looking for Love love speaks from the heart Enjoy friendship Shake it baby Shake ur friends One Hackers Love Origin of Friendship The world of lovers The world of Friendship Check ur friends Circle Friendship how are you U r the person? U realy Want this Romantic humour NewWonderfool excite Cool charming Idiot Nice Bullsh*t One Funny Great LoveGangs Shaking powful Joke Interesting Screensaver Friendship Love relations stuff to ur friends to ur lovers for you to see to check to watch to enjoy to share :-) ! !! The body of the infected messages can contains the following strings: Check the attachment See the attachement Enjoy the attachement More details attached Hi Check the Attachement .. See u Hi Check the Attachement .. Attached one Gift for u.. wOW CHECK THIS Then there can follow a fake undeliverable message report or a fake screensaver subscription message. In case the worm sends a fake bounced message, it looks like that: This message was created automatically by mail delivery software (Exim). A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: %EmailAddress% For further assistance, please contact %EmailAddress% If you do so, please include this problem report. You can delete your own text from the message returned below. Copy of your message, including all the headers is attached Then there goes an EML file attachment with random name that contains the worm's sample and usually IFrame exploit to make the attachment run automatically on unpatched e-mail clients. In case the worm spreads itself with a fake screensaver subscription message, it looks like that: This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Enjoy this friendship Screen Saver and Check ur friends circle... Send this screensaver from to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you'll know you have a circle of friends. * To remove yourself from this mailing list, point your browser to: * Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe". * Reply to this message with the word "REMOVE" in the subject line. This message was sent to address %EmailAddress% X-PMG-Recipient: %EmailAddress% <>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>> where %EmailAddress% is user's email address Attached file name with SCR extension are: screensaver screensaver4u screensaver4u screensaverforu freescreensaver love lovers lovescr loverscreensaver loversgang loveshore love4u lovers enjoylove sharelove shareit checkfriends urfriend friendscircle friendship friends friendscr friends friends4u friendship4u friendshipbird friendshipforu friendsworld werfriends passion bullshitscr shakeit shakescr shakinglove shakingfriendship passionup rishtha greetings lovegreetings friendsgreetings friendsearch lovefinder truefriends truelovers f*cker The worm also spreads itself as an attachment with double extension and with one of the following names or with a random name: loveletter resume biodata dailyreport mountan goldfish weeklyreport report love The first extension of the attachment can be: doc mp3 xls wav txt jpg gif dat bmp htm mpg mdb zip The last extension can be: pif bat scr The worm replicates itself througth local network. One of the threads looks for open shares and searches directories with the following names: WINXP WINME WIN WINNT WIN95 WIN98 WINDOWS When the worm finds the file WIN.INI. If this file is found the worm copies itself to the destanation directory with the name: MSTASKMON.EXE and modifies the file WIN.INI on remote system to start itself there after next reboot. The file WIN.INI works under Windows 9x only and it doesn't work under NT-based systems. The worm scans and terminates the processes that have the following strings in their names: PCCIOMON PCCMAIN POP3TRAP WEBTRAP AVCONSOL AVSYNMGR VSHWIN32 VSSTAT NAVAPW32 NAVW32 NMAIN LUALL LUCOMSERVER IAMAPP ATRACK NISSERV RESCUE32 SYMPROXYSVC NISUM NAVAPSVC NAVLU32 NAVRUNR NAVWNT PVIEW95 F-STOPW F-PROT95 PCCWIN98 IOMON98 FP-WIN NVC95 NORTON MCAFEE ANTIVIR WEBSCANX SAFEWEB ICMON CFINET CFINET32 AVP.EXE LOCKDOWN2000 AVP32 ZONEALARM WINK SIRC32 SCAM32 The worm has different process killing routines for different types of operating systems. It scans memory regulary and doesn't alow to start in infected system. The worm also looks for and terminates the Windows Task Manager process. Payloads When the worm's file is started and its file has SCR extension, it may display a videoeffect. The worm creates the TXT file with random name in Windows directory with the following text: <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> iNDian sNakes pResents yAha.E iNDian hACkers,Vxers c0me & w0Rk wITh uS & f*Ck tHE GFORCE-pAK sh*tes bY sNAkeeYes,c0Bra <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> --->>> Shaka( Rudy) HelPC list owner shaka.rudy@xxxxxxxxx