WORM_WURMARK.Q

[TJ]

W32.Lanieca.I@mm is a mass-mailing worm that uses its own SMTP engine to send itself to email addresses it gathers from the compromised computer. It logs keystrokes and steals various passwords

When executed, W32.Lanieca.I@mm performs the following actions:

   1. Copies itself as the following file:

      %System%\[RANDOM FILE NAME].exe

      Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

   2. Adds the value:

      "[RANDOM FILE NAME]" = "[RANDOM FILE NAME].exe"

      to the following registry subkey

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

      so that it runs every time Windows starts.

      Note: The name of the file referenced in the value of this registry subkey will be the same as the file copied to the System folder.

   3. Creates the following text file, in which it stores logged keystrokes:

      %System%\[RANDOM FILE NAME 1].dll

   4. Drops the following file:

      %System%\[RANDOM FILE NAME 2].dll

      Note: The variables [RANDOM FILE NAME 1] and [RANDOM FILE NAME 2] refer to two different randomly generated file names.

   5. Creates the following registry subkeys to monitor the behavior of Internet Explorer:

      HKEY_CLASSES_ROOT\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}
      HKEY_CLASSES_ROOT\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}
      HKEY_CLASSES_ROOT\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
      Browser Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2}
      HKEY_CLASSES_ROOT\IESpy.SpyBHO
      HKEY_CLASSES_ROOT\IESpy.SpyBHO.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
      \{84695FD5-A8A8-11D8-978E-005022E14DE2}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESpy.SpyBHO
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1

   6. Retrieves the current user's email user name, email address, and SMTP server IP address from the registry.

   7. Gathers email addresses from files with the following extensions:

          * .asp
          * .dbx
          * .eml
          * .htm
          * .mbx
          * .sht
          * .tbb

   8. Attempts to send itself as an email using its own SMTP engine. The email will have the following characteristics:

      Subject:
      One of the following:

          * details
          * girls
          * image
          * love
          * message
          * music
          * news
          * photo
          * pic
          * readme
          * resume
          * screensaver
          * song
          * video

            Message:
            Blank.

            Attachment:
            One of the following:

          * details.zip
          * girls.zip
          * image.zip
          * love.zip
          * message.zip
          * music.zip
          * news.zip
          * photo.zip
          * pic.zip
          * readme.zip
          * resume.zip
          * screensaver.zip
          * song.zip
          * video.zip

            Note: This zip file contains a copy of the worm with file name [ATTACHMENT NAME].[FIRST EXTENSION][BLANK SPACES].scr, where [FIRST EXTENSION] is one of the following:

          * avi
          * doc
          * jpg
          * mp3
          * txt
          * wav

            For example, the file readme.zip may contain the file readme.txt[BLANK SPACES].scr.

            Instead of attaching a file, the worm may also send one of the following links to the attachment:

          * [http://]www.sismodular.com/[REMOVED]/[ATTACHMENT NAME].zip
          * [http://]www.elancenet.org/[REMOVED]/[ATTACHMENT NAME].zip
          * [http://]www.hlconsultores.com/[REMOVED]/[ATTACHMENT NAME].zip
          * [http://]africaplc.com/[REMOVED]/[ATTACHMENT NAME].zip

   9. Avoids sending email messages to addresses that contain any of the following strings:

          * abuse
          * admin
          * alert
          * kasper
          * mcafee
          * messagelab
          * microsoft
          * noreply
          * pandasoft
          * postmaster
          * recipients
          * report
          * sophos
          * spam
          * symantec
          * trendmicro
          * virus
          * webmaster

  10. Gathers the following passwords from Protected Storage:

          * IE Auto Complete passwords
          * IE Password-Protected sites passwords
          * MSN Explorer Signup passwords
          * Outlook Express account passwords

  11. Saves any passwords it finds in the following file:

      %Temp%\[RANDOM FILE NAME].tmp

  12. Uploads the temporary file to the following Web site:

      [http://]www.melaniecarroll.biz/[REMOVED]/n2.php

REMOVAL INSTRUCTIONS
See: http://securityresponse.symantec.com/avcenter/venc/data/w32.lanieca.i@mm.html

To delete the value from the registry
   1. Click Start > Run.
   2. Type regedit
   3. Click OK.
   4. Navigate to the subkey:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

   5. In the right pane, delete the value:

      "[RANDOM FILE NAME]" = "[RANDOM FILE NAME].exe"

   6. Navigate to and delete the registry subkeys:

      HKEY_CLASSES_ROOT\CLSID\{84695FD5-A8A8-11D8-978E-005022E14DE2}
      HKEY_CLASSES_ROOT\Interface\{84695FD4-A8A8-11D8-978E-005022E14DE2}
      HKEY_CLASSES_ROOT\TypeLib\{84695FC8-A8A8-11D8-978E-005022E14DE2}
      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
      Browser Helper Objects\{84695FD5-A8A8-11D8-978E-005022E14DE2}
      HKEY_CLASSES_ROOT\IESpy.SpyBHO
      HKEY_CLASSES_ROOT\IESpy.SpyBHO.1
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
      \{84695FD5-A8A8-11D8-978E-005022E14DE2}
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESpy.SpyBHO
      HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IESpy.SpyBHO.1

   7. Exit the Registry Editor.