Virus Database

I-Worm.Lentin.v

Description I-Worm.Lentin.v

Lentin.v spreads via the Internet as an attachment to infected messages. It also spreads via networked resources and the Kazaa file-sharing network.
The worm itself is a Windows PE EXE file of approximately 60KB, written in Visual C++ and compressed using UPX. The uncompressed file is approximately 478KB in size.
Lentin.v interferes with the operation of antivirus applications. It also carries out DoS attacks on certain IP addresses.
It alters the files 'Hosts' and 'Lmhosts' in the Windows directory to prevent users of infected machines from viewing the following web sites:
www.symantec.com
www.microsoft.com
www.sophos.com
www.avp.ch
www.mcafee.com
www.trendmicro.com
www.pandasoftware.com
www3.ca.com
www.ca.com
Propagation
The worm uses its own SMTP server to send out copies of itself. It spreads via both network resources and the Kazaa file sharing network.
File attachments containing the infected code may have one of the following extensions:
.COM
.EXE
.ZIP
The message fields of infected emails contain random information.
The worm sends itself to all addresses found in the Windows address book, MSN Messenger, NET Messenger and Yahoo Pager.
Installation
Lentin.v must be launched manually in order for a machine to be infected. When an infected attachment is opened the worm is activated. It copies itself to the Windows system directory under the following names:
MSUPDAT.EXE
MSEXEC.EXE

It also uses the file 'msupdat.exe' to update the system registry with the following entries:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
This ensures that the worm's executable file will be run each time a victim machine is booted.
The worm then searches for the Windows system file 'WIN.INI' and adds the following string:
run=<name>

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Nimda

Description I-Worm.Nimda

This is a virus-worm that spreads via the Internet attached to infected e-mails, and copies itself to shared directories over a local network, and also attacks vulnerable IIS machines (Web sites). The worm itself is a Windows PE EXE file about 57Kb in length, and is written in Microsoft C++.
In order to run from an infected message, the worm exploits a security breach. The worm then installs itself to the system, and runs a spreading routine and payload.
The worm contains the following "copyright" text string:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
Installing
While installing, the worm copies itself:
to the Windows directory with the MMC.EXE name
to the Windows system directory with RICHED20.DLL (and overwrites original Windows RICHED20.DLL file) and with the LOAD.EXE name.
The last one is then registered in the auto-run section in a SYSTEM.INI file:
[boot] shell=explorer.exe load.exe -dontrunold
The worm also copies itself to a Temporary directory with random MEP*.TMP and MA*.TMP.EXE names, for example:
mep01A2.TMP
mep1A0.TMP.exe
mepE002.TMP.exe
mepE003.TMP.exe
mepE004.TMP

EXE files have Hidden and System attributes, as well as a LOAD.EXE file (see above).
The worm then runs its spreading and payload routines. Depending on the Windows version, the worm affects the EXLORER.EXE process, and may run its routines as an EXPLORER' background process (thread).
Spreading via E-mail
In order to send infected messages, the worm connects to a host machine by using SMTP protocol, and sends its copies to victim addresses.
In order to obtain victim e-mail addresses, the worm uses two ways:
1. scans *.HTM and *.HTML files and looks for e-mail-like strings
2. by using MAPI, connects to MS Exchange e-mail boxes and obtains e-mail addresses from there.
The infected messages are of HTML format and contain:
Subject: empty or random
Body: empty
Attach: README.EXE

Subjects are chosen from the name of a randomly selected file from a folder:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShell FoldersPersonal
usually this is "My Documents" or a randomly selected file on the C: drive.
In order to spread from infected messages, the worm uses an "IFRAME" trick; the vulnerability described at:
Microsoft Security Bulletin (MS01-020): Incorrect MIME Header Can Cause IE to Execute E-mail Attachment http://www.microsoft.com/technet/security/bulletin/MS01-020.asp
Download patch:
http://www.microsoft.com/windows/ie/downloads/critical/q290108/default.asp
What causes the vulnerability?
If an HTML mail contains an executable attachment, whose MIME type is incorrectly given as one of several unusual types, a flaw in IE will cause the attachment to be executed without displaying a warning dialogue.
What does the patch do?
The patch eliminates the vulnerability by correcting the table of MIME types and their associated actions in IE. This has the effect of preventing e-mails from being able to automatically launch executable attachments.
Spreading via the local network
The worm scans local and shared (mapped) remote drives in three different manners, and infects all accessible directories in there.
While infecting, the worm uses two different ways:
1. It creates .EML (95% of the time) or .NWS (5%) files with randomly selected names. As a result, these EML and NWS files are everywhere on an infected machine (and in the local network), and there may be thousands of them. These files contain the worm's copy in e-mail form.
The e-mail form is an HTML e-mail message with the worm's copy in a MIME envelope, and with an IFRAME trick as described above. Upon being opened, this message immediately infects a vulnerable machine.
2. The worm looks for filename+extension combinations:
*DEFAULT* , *INDEX* , *MAIN* , *README* + .HTML, .HTM, .ASP
(*NAME* means that may be a sub-string in the file name)
In case such file is found, the worm copies itself in e-mail form to there with the README.EML name, and appends to a victim's HTM/ASP file a JavaScript program that simply opens the README.EML file when the HTML/ASP file is being opened, activating the worm as a result.
As a result, the worm infects Web pages, and may spread to machines that visit these Web sites.
Spreading as an IIS attack
To upload its file to a victim's machine, the worm uses a "tftp" command, and activates a temporary TFTP server on an infected (current) machine to process the "get data" command from the victim's (remote) machine in exactly the same way as the {"BlueCode":IISWorm_BlueCode} IIS worm.
The name of file that is uploaded to a victim's machine is ADMIN.DLL.
Payloads
The payload routine adds "Guest" user to the Administrator User Group (as a result, a "Guest" user has full access to an infected machine).
The worm also opens all local drives for sharing.
There are several variants of the "Nimda" worm.
All of them are very closed to the original, and most of them are just a "patched" version of original worm - the text strings in worm body are replaced with other strings).
Nimda.b
This is the original "Nimda" worm, however compressed by a PCShrink Win32 PE EXE files compressor. The strings:
README.EXE , README.EML
are replaced with:
PUTA!!.SCR , PUTA!!.EML
Nimda.c
This is exactly the original "Nimda" worm although compressed by a UPX compressor.
Nimda.d
This variant of the worm was mailed to the Internet at the end of October 2001. It was spread in compressed form (PECompact compressor), and this form is 27K in size.
The only difference from original worm is the "copyright" text strings that are patched in this version with the following text:
HoloCaust Virus.! V.5.2 by Stephan Fernandez.Spain
Nimda.e
This is a recompiled "Nimda" variant, and there are several minor routines either slightly fixed and/or optimized. This variant was found in the wild at the end of October 2001.
The visible differences from the original worm version are:
The attached file name:
SAMPLE.EXE (instead of README.EXE)
The DLL files are:
HTTPODBC.DLL and COOL.DLL (instead of ADMIN.DLL)
The "copyright" text is replaced with:
Concept Virus(CV) V.6, Copyright(C)2001, (This's CV, No Nimda.)

I-Worm.Nocana.a

Description I-Worm.Nocana.a

Nocana is a worm virus spreading via the Internet as an e-mail file attachment via P2P file sharing networks. The worm contains a backdoor routine.
The worm itself is a Windows PE EXE file, written in Visual Basic and is related to the I-Worm.Melare email worm.
There are several worm versions known, they differ only slightly. These versions are:
"Nocana.a" : about 29K (compressed by UPX, decompressed size - about 80K)
"Nocana.b" : about 86K
"Nocana.c" : about 32K (compressed by UPX, decompressed size - about 100K)

The worm activates from infected email only when a user clicks on the attached file. Note that the real attached .EXE file name is hidden by a false .JPG extension(an "extra functionality" of MS Outlook is used to accomplish this deception). As a result the infected .EXE file is displayed as a .JPG image file, but upon opening the attachment it is executed as a true EXE file. Starting with MS Outlook 97 service pack 2 such attached files are blocked (by default).
The worm then installs itself to the system, runs its spreading routine and payload.
Installation
While installing the worm copies itself to the Windows directory using the name "ANACON.EXE" and registers this file in the system registry auto-run keys:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
AHU= %SystemDir%ANACON.EXE

HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
Hvewsveqmg = %SystemDir%ANACON.EXE

HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Cvfjx = %SystemDir%ANACON.EXE

Other worm versions also copy themselves but using different names:
syspoly32.exe
build.exe
force.exe
scan.exe
runtime.exe
hangup.exe
hungry.exe
thing.exe
against.exe
wars.exe

The Nocana worm also terminates several anti-virus and active firewall processes.
Spreading
To send infected messages the worm uses MS Outlook and sends messages to all the addresses found in the Outlook address book.
Infected messages have the following attributes:
Subject:
Body:
Attachment:

"Nocana.a":

Subject:

Do you happy?
Riyadh Issue: Al-Qaeda vs FBI
Osama Bin Laden Come Back!
Al-Qaeda News: Bombing Mission Success!
Check This Out!
Re: can mali can!
Al-Qaeda Team Entertainment News
[AQTE News]
Al-Jazeera: AQTE Come back!
Hi, may I read your mind?
Acheh Issue: What Solution!
Saddam Hussein Still alive
Iraqi people don't want US Control.
Let's Iraqi people build their country.
Download New 256-Bit Encryption Software
Alert! W32.HLLW.Anacon@mm Worm Has been detected!
Register you Windows Now!
Get free update Microsoft Windows Media Player
TIPS: How to hide your IP Address!
How to Protect you PC from Hackers!

Message body:

Hi dear,
Once I was first saw you, I was fall in love! Even you are already has special friend!
Fall In Love,
Rekcahlem ~=~ Anacon

Attachment:

anakon.jpg


"Nocana.b,c":

Subject:

Do you happy?
Great News! Check it out now!
Just for Laught!
TIPs: HOW TO JUMP PC TO PC VIA INTERNET?
What New in TechTV!
FoxNews Reporter: Hello! SARS Issue!
Get Free XXX Web Porn!
Oh, my girl!
Crack - Download Accerelator Plus 5.3.9
Do you remember me?
The ScreenSaver: Wireless Keyboard
VBCode: Prevent Your Application From Crack
Re: are you married?(1)
Download WinZip 9.0 Beta
Young and Dangerous 7
Alert! W32.Anacon.B@mm Worm Has been detected!
Run for your life!
Update: Microsoft Visual Studio .Net
Your Password: jad8aadf08
Tired to Search Anonymous SMTP Server?

Message body:

Hello dear,
I'm gonna missed you babe, hope we can see again!
In Love,
Rekcahlem ~<>~ Anacon

Attachment:

anacon.exe
build.exe
force.exe
scan.exe
runtime.exe
hangup.exe
hungry.exe
thing.exe
against.exe
wars.exe

Infecting P2P
The worm copies itself to the P2P shared directories of following networks: KMD, Kazaa, Morpheus, Grokster, BearShare, Edonkey2000, Limewire.
Worm copies have the ollowing names:
"Nocana.a":

X-Men II Trailer.mpg.exe
The Matrix Reloaded.jpg.exe
Jonny English (JE).avi.exe
EmpireEarthII.msi.exe
Setup.exe
JumpingJumping.exe
SuperMarioBrother.exe
YoungAndNotTooDangerous.exe
Nokia8250Series.exe
About SARS Solution.doc.exe
Dont eat pork.. SARS in there.jpg.exe
Mesmerize.exe
MSVisual C++.exe
Installer.exe
Q544512.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
WMovie Maker II.exe
WindowsUpdate.exe
SEX_HOT.exe

"Nocana.b,c":

The Matrix Evolution.mpg.exe
The Matrix Reloaded Preview.jpg.exe
Jonny English (JE).avi.exe
DOOM III Demo.exe
winamp3.exe
JugdeDread.exe
Microsoft Visual Studio.exe
gangXcop.exe
Upgrade you HandPhone.exe
About SARS Solution.doc.exe
Dont eat pork. SARS in there.jpg.exe
VISE.exe
MSVisual C++.exe
QuickInstaller.exe
Q111023.exe
jdbgmgr.exe
WindowsXP PowerToys.exe
InternationalDictionary.exe
EAGames.exe
SEX_HOTorCOOL.exe

Backdoor Routine

opens full access to disk files and system registry keys
sends information about infected computer
sends cached passwords
sends keyboard log
downloads and executes files from Web
changes display resolution
runs DoS attack on several servers
e.t.c.
Payload
In the directories C:Inetpubwwwroot ³ D:Inetpubwwwroot (if they exist) the worm renames the following files:
index.htm -> Anacon_Index.htm
default.htm -> Anacon_Default.htm
index.html -> Anacon_Index.html
default.html -> Anacon_Default.html
index.asp -> Anacon_Index.asp
default.asp -> Anacon_Default.asp

Nocana then overwrites the original files ("index.htm", "default.htm", all) with the text:
I WARN TO YOU! DON'T PLAY STUPID WITH ME! ANACON MELHACKER WILL SURVIVE!, Anacon, Melhacker, Dincracker, PakBrain and AQTE
Anacon G0t ya! By Melhacker - The Real Hacker!

On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm randonly performs one of the following actions:
executes all files in the current directory (in most cases - Windows system directory)
displays the message:


Anacon W0rm
The only I have to say is, I need you babe!

formats the D: drive
deletes all files in the current directory (in most cases - Windows system directory)
On 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th of each month the worm deletes all *.DLL, *.NLS, *.OCX files in the current directory (in most cases - Windows directory).

Home