Linong is an e-mail worm that consints of binary and script parts.
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
The binay part if the worm is about 360 kilobytes in size. It contains a VBS script that is dropped to the system during the infection.
When the exe file is run it copies itself to different places:
To ensure that it will be started at every system startup several registry keys are also added:
After setting the registry keys the VBS script is dropped to a file named 'MyLinong.vbs' in Windows sytem directory.
Using the standard Windows messaging API (MAPI) it collects e-mail addresses from the incoming e-mails and sends itself to those (in one run up to 50 messages).
The e-mail sending routine generates messages randomly from the following components:
The attached files can get these names:
It has a visible payload also. On certain dates messages are displayed:
25th of June:
22nd of July:
14th of November:
The other payload is rather annoying, it creates 500 directories to the 'C:\Linong I Love U So Much Linong For ever My Love[0-499]'
The scrip part of the worm is written in Visual Basic Script and is both, network and fast email (mass mailing) worm.
The mass mailer spreads using Outlook Application to all recipients listed in each address book. The email looks as follow:
Subject: One of this mail Body: True Story.... Attachment: mylinong.exe
where the attachment mylinong.exe is taken from the Windows System directory.
Once executed the script will copy itself as:
and will modify the registry to run the script on startup:
It will also change the Internet Explorer start page to the following location:
Then Linong.A creates 600 directories on the infected machine.
After the worm has been active on an infected system for 14 days it will delete the above created directories and the dropped copies of itself from Windows and Windows System folders.
During the time Linong is active it attempt to show an html file previously dropped as mylinong.hta. This file shows the following text:
I L o v e Y o u L i n o n g You are the love of my love Almost One Year.., Miss U 01*29**879 01*29**868
The network part of the worm generates random IP addresses and connects to them. When the C drive of these machines is shared and there is write access to it Linong will copy itself as linong.vbs in root, Windows and startup directories but it will not copy the binary part of the worm. That is why, running the script from a remote mashine will not spread the worm.