W32.Lanieca.H@mm is a mass-mailing worm that uses its own SMTP engine to send itself to addresses it gathers from the compromised computer. The worm also logs keystrokes and steals various passwords.
When it runs,W32.Lanieca.H@mm performs the following actions:
1. Copies itself to %System%\[VOLUME SERIAL NUMBER OF THE COMPROMISED COMPUTER].exe. As the actual file name is a function of the volume serial number, this file name will be different for every computer.
Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
2. Adds the value:
"[VOLUME SERIAL NUMBER OF THE COMPROMISED COMPUTER]" =
"[VOLUME SERIAL NUMBER OF THE COMPROMISED COMPUTER].exe"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
so that the worm runs every time Windows starts.
3. Copies a text file to %System%\[RANDOM FILE NAME].dll, where [RANDOM FILE NAME] is a file name generated by the worm. The worm uses this text file to store logged key strokes.
4. Registers itself as a service process on computers running a Windows 9X operating system.
5. Gathers the current user's email user name, email address, and SMTP server IP address from the registry.
6. Gathers email addresses from files with the following extensions:
* .asp
* .dbx
* .eml
* .htm
* .mbx
* .sht
* .tbb
7. Sends a zip copy of itself to all the email addresses that it finds. The email has the following characteristics:
Subject:
One of the following:
* screensaver
* song
* music
* video
* photo
* girls
* pic
* message
* image
* news
* details
* resume
* love
* readme
Message:
Blank.
Attchment:
One of the following:
* details.zip
* girls.zip
* image.zip
* love.zip
* message.zip
* music.zip
* news.zip
* photo.zip
* pic.zip
* readme.zip
* resume.zip
* screensaver.zip
* song.zip
* video.zip
This zip file contains a copy of the worm with the file name [ZIP FILE NAME].[FIRST EXTENSION][BLANK SPACES].scr where [FIRST EXTENSION] is one of the following:
* avi
* doc
* jpg
* mp3
* txt
* wav
For example, the file readme.zip may contain a copy of the worm with the file name:
readme.txt[BLANK SPACES].scr
8. The worm avoids sending email messages to addresses that contain any of the following substrings:
* abuse
* admin
* hostmaster
* localdomain
* localhost
* mcafee
* messagelab
* microsoft
* noreply
* postmaster
* recipients
* report
* root
* spam
* symantec
* trendmicro
* webmaster
9. The worm also gathers the following passwords from Protected Storage, and saves them in a temporary file:
* IE Auto Complete passwords
* IE Password-Protected sites passwords
* MSN Explorer Signup passwords
* Outlook Express account passwords
10. The temporary file will be saved as %Temp%\[5 RANDOM LETTERS].tmp.
11. The worm then uploads the data in this temporary file to a script on the
www.melaniecarroll.biz domain.
REMOVAL INSTRUCTIONSSee:
http://securityresponse.symantec.com/avcenter/venc/data/w32.lanieca.h@mm.htmlTo delete the value from the registry 1. Click Start > Run.
2. Type regedit
3. Click OK.
4. Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
5. In the right pane, delete the value:
"[VOLUME SERIAL NUMBER OF THE COMPROMISED COMPUTER]" =
"[VOLUME SERIAL NUMBER OF THE COMPROMISED COMPUTER].exe
6. Exit the Registry Editor.
AlphaOne Technology Support Forums
Author
Logged
