This Lentin (also known as Yaha) worm variant appeared on 17th of September 2003. It is an improved variant comparing to previous versions of the worm. Like its previous variants, this one spreads itself in emails, over LAN (local area network), kills tasks of certain programs, logs user's keyboard activities and performs DoS (Denial of Service) attacks on certain sites. The worm can also modify HTML pages on a webserver if it finds it on an infected computer. The worm blocks access to certain websites mostly belonging to anti-virus vendors.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
The worm's file is a Windows PE executable 66048 bytes long compressed with ASPack file compressor. The uncompressed worm's size is over 350 kilobytes.
First of all, the worm does not run if the following processes are running:
When the worm's file is started, the worm copies itself as MSUPDAT.EXE to Windows System folder and creates a startup keys for this file in System Registry:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MicrosoftServiceManager" = "%WinSysDir%\MSUPDAT.EXE" [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "MicrosoftServiceManager" = "%WinSysDir%\MSUPDAT.EXE" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MicrosoftServiceManager" = "%WinSysDir%\MSUPDAT.EXE" [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices] "MicrosoftServiceManager" = "%WinSysDir%\MSUPDAT.EXE"
The worm also copies itself as MSEXEC.EXE file to Windows System folder and modifies the default EXE, COM and BAT files startup keys:
[HKCR\exefile\shell\open\command] @ = "%WinSysDir%\MSEXEC.EXE""%1"%*" [HKCR\comfile\shell\open\command] @ = "%WinSysDir%\MSEXEC.EXE""%1"%*" [HKCR\batfile\shell\open\command] @ = "%WinSysDir%\MSEXEC.EXE""%1"%*"
where '%WinSysDir%' is Windows System directory name. This way the worm's file is started every time when a user runs an EXE file. Both copied files have a hidden attribute, so they are not seen in Windows Explorer with default settings.
Additionally the worm copies itself as REGP32.EXE to Windows folder and modifies WIN.INI file to make the copied file start during Windows bootup stage. On NT-based systems the worm also writes the startup string into the Registry.
Finally the worm copies itself as MSNTUPDATE.EXE file to the following directory:
\Documents and Settings\All Users\Start Menu\Programs\Startup
This allows the worm's file to start when any user starts Windows.
The worm can create the following key that contains worm-related information such as version, author, webpage and comments:
The worm is capable of infecting computers over a local network. Being active, the worm enumerates shared network resources and if it finds the following directories there:
it copies as REGP32.EXE to these folders and modifies WIN.INI file there to make the copied file start during Windows bootup stage. Also the worm copies itself as MSNTUPDATE.EXE file to the following directory on remote computers:
\Documents and Settings\All Users\Start Menu\Programs\Startup
This allows the worm's file to start when any user starts Windows on remote system.
If the worm finds a webserver (IIS - Internet Information Server) folders on an infected computer, it modifies its HTML pages. The worm looks for *.HTML and *.HTM files in the following folder:
and adds a small HTML code to the end of every found webpage, so that the following text is shown when that page is opened:
Each webpage contains at least 2 strings like that in the end.
The worm drops a keylogging DLL from its body and activates it to record all keystrokes of an infected computer's user. The keystrokes are saved into a special file that is located in a temporary folder. The worm periodically sends this file to 'email@example.com' address together with host name and IP address of an infected computer. The file is sent if it's size is over 30 kilobytes.
The worm spreads itself in emails. The emails have randomly selected subjects, body texts and attachment names. The infected emails have fake email addresses in the sender field.
The worm gets email addresses from files located in MSN Messenger, .NET Messenger, Yahoo Pager, ICQ, Address Book and also from Explorer Shell folders that contain user's files and settings.
The worm can send the following emails from an infected system:
From: firstname.lastname@example.org or email@example.com or firstname.lastname@example.org or email@example.com Subject: Sexy Call girls Body: Hi... Visit http://salmaescorts.tripod.com/ expecting ur call or Hi... Visit http://salmaescorts.tripod.com/ expecting ur call
It can also compose different type of emails that pretend to be legitimate mails from well-known companies or people. The worm uses the following list of names to construct a fake sender's email address for the infected messages:
The worm uses the following list of email addresses to construct a fake sender's email address:
The sender's address can be also randomly generated. The domain address is selected from the following variants:
The worm uses the following subject lines in the emails that it sends from an infected system:
The worm uses the following attachment names for its file when it sends itself in emails:
The worm uses the following texts in the bodies of email messages that it sends out:
Hello, The attached product is send as a part of our official campaign for the popularity of our product. You have been chosen to try a free fully functional sample of our product.If you are satified then you can send it to your friends. All you have to do is to install the software and register an account with us using the links provided in the software. Then send this software to your friends using your account ID and for each person who registers with us through your account, we will pay you $1.5.Once your account reaches the limit of $50, your payment will be send to your registration address by check or draft. Please note that the registration process is completely free which means by participating in this program you will only gain without loosing anything. Best Regards, Admin, or Klez.H is the most common world-wide spreading worm.It's very dangerous by corrupting your files. Because of its very smart stealth and anti-anti-virus technic,most common AV software can't detect or clean it. We developed this free immunity tool to defeat the malicious virus. You only need to run this tool once,and then Klez will never come into your PC or Hello, Looking for some Hardcore mind boggling action ? Install the attached browser software and browse across millions of paid hardcore sex sites for free. Using the software you can safely and easily browse across most of the hardcore XXX paid sites across the internet for free. Using it you can also clean all traces of your web browsing from your computer. Note:The attached browser software is made exclusivley for demo only. You can use the software for a limited time of 35 days after which you have to register it at our official website for its furthur use. Regards, Admin. or Hello, I just came across your email ID while searching in the Yahoo profiles. Actually I want a true friend 4 life with whom I can share my everything. So if you are interested in being my friend 4 life then mail me. If you wanna know about me, attached is my profile along with some of my pics. You can check and if you like it then do mail me. I will be waiting for your mail. Best Wishes, Your Friend.. or <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>> This email is never sent unsolicited. If you receive this email then it is because you have subscribed to the official newsletter at the KOF ONLINE website. King Of Fighters is one of the greatest action game ever made. Now after the mind boggling sucess of KOF 2001 SNK proudly presents to you KOF 2002 with 4 new charecters. Even though we need no publicity for our product but this time we have decided to give away a fully functional trial version of KOF 2002. So check out the attached trial version of KOF 2002 and register at our official website to get a free copy of KOF2002 original version Best Regards, Admin,KOF ONLINE.. <<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>><<<<<>>>>>
The worm can also compose other kind of messages from from additional string data that is hardcoded in the worm's body.
The worm includes Iframe exploit into the infected messages to make the infected attachment run automatically when a recipient views a message. This exploit works only on older and unpatched versions of certain email clients.
The worm can also send a lot of garbage emails to the following accounts:
of the following domains:
This kind of attack is called mail-bombing.
The worm terminates processes that have the following strings in their names: