[Helpc] Infos virus: I-Worm.Lentin , aka Yaha
- From: "Shaka( Rudy)" <strub.rudy@xxxxxxxxx>
- To: <helpc@xxxxxxxxxxxxx>
- Date: Wed, 10 Jul 2002 06:15:52 +0200
I-Worm.Lentin , aka Yaha
This is the worm virus spreading via the Internet being attached to
infected emails. The worm itself is a Windows PE EXE file about 21Kb of
length (compressed by UPX?, decompressed size - about 72Kb), written in
Microsoft Visual C++.
The infected messages have the "valentin.scr" attached file (worm
itself) and one of two variants of subject and message body:
Subject 1:
Melt the Heart of your Valentine with this beautiful Screen saver
Body 1:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from
www.screensaverin.com * To remove yourself from this mailing list, point
your browser to: http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and
click "Unsubscribe". OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
Second variant of infected messages looks like previous forwarded first
variant:
Subject 2:
Fw: Melt the Heart of your Valentine with this beautiful Screen saver
Body 2:
Hi
Check this screen saver
Happy Valentines day
See u
----- Original Message -----
From: "Screen Saver"
To:
Sent: Friday, February 11, 2002 8:38 PM
Subject: Melt the Heart of your Valentine with this beautiful Screen
saver <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
<<<>>> This e-mail is never sent unsolicited. If you need to
unsubscribe, follow the instructions at the bottom of the message.
***********************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from
www.screensaverin.com * To remove yourself from this mailing list, point
your browser to: http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and
click "Unsubscribe". OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
where %EmailAddress% is user's email address The worm activates from
infected email only in case a user clicks on attached file. The worm
then installs itself to the system, runs spreading routine and payload.
Installing
While installing the worm copies itself to the C:\RECYCLED directory
with the MSMDM.EXE and MSSCRA.EXE names and registers first file in
system registry auto-run key: HKCR\exefile\shell\open\command
c:\recycled\msmdm.exe %1 %* The worm then hides its activity with fake
"Ur My Valentine.." texts radomly placed on the screen, and then resizes
windows on desktop.
In some cases it also displays fake error message:
Config
No Configuration is availabile Now
Enjoy !!!
Spreading
To send infected messages the worm uses direct connection to SMTP
server.
To get victim emails the worm looks for them in Windows Address Book,
MSN and .NET messenger cache folders and HTM(L) files.
While looking for email addresses the worm creates two its data files in
Windows directory: "screendback.dll" and "www.dll".
Other versions
Lentin.g , aka Yaha.e [Analysis: Alexey Podrezov, F-Secure Corp., June
2002]
The worm has size 27ë, (packed with UPX). Worm's files have random date
in the end. The worm has many encrypted strings.
Installation
The worm copies itself with a random name to the directory C:\Recycler
or C:\Recycled. Than it modifies default EXE file startup key:
HKCU\exefile\shell\open\command It will start for each execute of EXE
file. If worm starts from the file MSTASKMON.EXE, it modifies auto-run
section in the file WIN.INI.
Replication: e-mail
The subject of the infected message is selected from the following list.
It also can contains the string "Fw:".
searching for true Love
you care ur friend
Who is ur Best Friend make ur friend happy True Love
Dont wait for long time Free Screen saver Friendship Screen saver
Looking for Friendship Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worryy
Ur My Best Friend
Say 'I Like You' To ur friend Easy Way to revel ur love Wowwwwwwwwwww
check it
Send This to everybody u like Enjoy Romantic life
Let's Dance and forget pains war Againest Loneliness
How sweet this Screen saver Let's Laugh
One Way to Love
Learn How To Love
Are you looking for Love love speaks from the heart Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship Check ur friends Circle Friendship how are you
U r the person?
U realy Want this
Romantic humour NewWonderfool excite Cool charming Idiot Nice Bullsh*t
One Funny Great LoveGangs Shaking powful Joke Interesting
Screensaver Friendship Love relations stuff
to ur friends to ur lovers for you to see to check to watch to enjoy to
share
:-)
!
!!
The body of the infected messages can contains the following strings:
Check the attachment
See the attachement
Enjoy the attachement
More details attached
Hi
Check the Attachement ..
See u
Hi
Check the Attachement ..
Attached one Gift for u..
wOW CHECK THIS
Then there can follow a fake undeliverable message report or a fake
screensaver subscription message. In case the worm sends a fake bounced
message, it looks like that:
This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es)
failed: %EmailAddress%
For further assistance, please contact %EmailAddress%
If you do so, please include this problem report. You can delete your
own text from the message returned below.
Copy of your message, including all the headers is attached
Then there goes an EML file attachment with random name that contains
the worm's sample and usually IFrame exploit to make the attachment run
automatically on unpatched e-mail clients. In case the worm spreads
itself with a fake screensaver subscription message, it looks like that:
This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************
Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from to everyone you consider a FRIEND, even if
it means sending it back to the person who sent it to you. If it comes
back to you, then you'll know you have a circle of friends.
* To remove yourself from this mailing list, point your browser to:
* Enter your email address (%EmailAddress%) in the field
provided and click "Unsubscribe".
* Reply to this message with the word "REMOVE" in the subject line.
This message was sent to address %EmailAddress%
X-PMG-Recipient: %EmailAddress%
<>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>> <>>>
where %EmailAddress% is user's email address
Attached file name with SCR extension are:
screensaver
screensaver4u
screensaver4u
screensaverforu
freescreensaver
love
lovers
lovescr
loverscreensaver
loversgang
loveshore
love4u
lovers
enjoylove
sharelove
shareit
checkfriends
urfriend
friendscircle
friendship
friends
friendscr
friends
friends4u
friendship4u
friendshipbird
friendshipforu
friendsworld
werfriends
passion
bullshitscr
shakeit
shakescr
shakinglove
shakingfriendship
passionup
rishtha
greetings
lovegreetings
friendsgreetings
friendsearch
lovefinder
truefriends
truelovers
f*cker
The worm also spreads itself as an attachment with double extension and
with one of the following names or with a random name:
loveletter
resume
biodata
dailyreport
mountan
goldfish
weeklyreport
report
love
The first extension of the attachment can be:
doc mp3 xls wav txt jpg gif dat bmp htm mpg mdb zip
The last extension can be:
pif bat scr
The worm replicates itself througth local network. One of the threads
looks for open shares and searches directories with the following names:
WINXP WINME WIN WINNT WIN95 WIN98 WINDOWS
When the worm finds the file WIN.INI. If this file is found the worm
copies itself to the destanation directory with the name: MSTASKMON.EXE
and modifies the file WIN.INI on remote system to start itself there
after next reboot. The file WIN.INI works under Windows 9x only and it
doesn't work under NT-based systems.
The worm scans and terminates the processes that have the following
strings in their names:
PCCIOMON
PCCMAIN
POP3TRAP
WEBTRAP
AVCONSOL
AVSYNMGR
VSHWIN32
VSSTAT
NAVAPW32
NAVW32
NMAIN
LUALL
LUCOMSERVER
IAMAPP
ATRACK
NISSERV
RESCUE32
SYMPROXYSVC
NISUM
NAVAPSVC
NAVLU32
NAVRUNR
NAVWNT
PVIEW95
F-STOPW
F-PROT95
PCCWIN98
IOMON98
FP-WIN
NVC95
NORTON
MCAFEE
ANTIVIR
WEBSCANX
SAFEWEB
ICMON
CFINET
CFINET32
AVP.EXE
LOCKDOWN2000
AVP32
ZONEALARM
WINK
SIRC32
SCAM32
The worm has different process killing routines for different types of
operating systems. It scans memory regulary and doesn't alow to start in
infected system. The worm also looks for and terminates the Windows Task
Manager process.
Payloads
When the worm's file is started and its file has SCR extension, it may
display a videoeffect.
The worm creates the TXT file with random name in Windows directory with
the following text:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
iNDian sNakes pResents yAha.E
iNDian hACkers,Vxers c0me & w0Rk wITh uS & f*Ck tHE GFORCE-pAK sh*tes
bY
sNAkeeYes,c0Bra
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
--->>>
Shaka( Rudy)
HelPC list owner
shaka.rudy@xxxxxxxxx
Other related posts:
- » [Helpc] Infos virus: I-Worm.Lentin , aka Yaha
