Email-Worm.Win32.Ligon

Class Email-Worm
Platform Win32
Description

Technical Details

This is an Win32 e-mail worm. The worm has two components:

  • Main: a Win32 application (PE EXE file) that is about 360K in size, and written in Delphi.
  • Helper: a VBS script program that intends to spread the worm over a local network.

    The main worm component sends itself to other machines attached to
    e-mails as an EXE file that may have 16 different names (see below). While
    spreading, it uses MAPI to connect to an e-mailer.

    The main component also drops an additional VBS script helper
    (local network worm) to a local disk and spawns it.

    Main Component

    When an infected file starts (being activated by a user from an infected message or
    from any other source), the worm copies itself into the Windows directory with
    “PCpower.exe” and into the Windows system directory with the “MyLinong.exe” name.
    The worm then drops the “MyLinong.VBS” file (VBS helper) into the Windows system
    directory.

    These files are then registered in the system registry auto-run keys:

    HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
    PCPower = %windir%PCpower.exe
    MyLinong = %winsystemdir%MyLinong.exe
    Linong = %winsystemdir%MyLinong.vbs

    The EXE files are two worm copies, and they will be activated by Windows upon
    each restart. The VBS file is a VisualBasic script program (see below).

    Spreading

    To spread, the worm scans the Inbox for the 50 first messages, obtains messages that
    have at least one attached file, and replies with an infected message. The
    infected message has a Subject, Body and Attached file that is randomly selected
    from 16 variants:

    Attached file names:

    CFusion.Exe
    PatchFusion.exe
    MyLinong.Exe
    Light up the night.exe
    StarMild.exe
    Kiss.Exe
    Sexy.Exe
    Popeye.exe
    Olive.exe
    BullBull.exe
    Moly.exe
    Lovely.exe
    868879.exe
    help.exe
    BillGate
    Mikropos

    Subjects:

    Info From CFusion
    Patch Your CFusion
    Still Remember You
    Light Up The Night
    Man Choice
    Kiss Me
    Sexy Model
    Popeye Cartoon
    Olive & Popeye
    MyGirlFriend Dogs
    My Girl Friend’ Dogs
    Sweet Lovely
    Password
    Need Help
    Bill
    Mikropos

    Message bodies:

    You can update your Cfusion Online For Free
    Are You Ready Fix Your Cfusion,Please Update
    She is MY sexy Linong
    Light up The Night PARTY…
    Are You Man or women. This is The sponsor from our site The man choice
    100 way to kiss your GirlFriend or your boyfriend
    Did you ever see the sexy girls like her
    The New Popeye New Cartoon NetWork
    Olive And Popeye Cartoon
    Nice dog…
    Good Dog and Smart dogs
    My Icq Friend Sweet and Lovely
    Here The list of Nude Password Website. All of them Still Active, and few of them are death password
    Do you need help ? to get money over the internet. You can read the help
    Bill..
    The New Mikropos Software From Mikropos Network

    Payload

    The worm creates the following directories:

    “C:Linong I Love U So Much Linong For ever My Love%n”

    where %n are numbers from 0 to 500 (in some cases, the worm fails to create
    directories, so the upper limit of directory number may be less than 500).

    The worm displays the following messages:

  • on June 25th:

    Message From Me
    Happy Birthday To MyLinong
    Still Remember Me…

  • on July 22nd:

    Today I want tell you Once again that
    I LOVE U SO MUCH LINONG
    Hey user, Please Help me to Tell the world
    That I Love Her So Much

  • on November 14th:

    Hi..Nong..I Love You So much.
    But today we must Say GoodBye For ever
    I wait U in the next Life, and Remember I Love You So Much

    VBS Helper

    This is a modification of the VBS e-mail worm “I-Worm.Linong” and
    works as a helper to the main EXE component.

    When it is run by Windows (because it is registered in registry Run= key),
    it obtains the IP address of the local machine, and then scans the sub-net (for
    example, if the local machine’s IP is 10.10.10.1, the worm will try to connect to
    all machines by using addresses 10.10.10.n, where ‘n’ is a number from 1 to
    254).

    In the case there are machines with such addresses, the worm tries to gain access
    to their C: drives and copy itself there to the following directories:

    “C:”
    “C:windowsstartm~1programsstartup”
    “C:windows”
    “C:windowsstart menuprogramsstartup”

    (there is a bug in this routine, and the worm fails to perform this).

    The worm then tries to send its EXE component from the infected machines, with the
    messages containing the following:

    Subject: One of this mail
    Body: True Story….
    Attach: mylinong.exe

    (this routine has a bug too, and the worm fails to spread itself).

    The worm then, as well as “I-Worm.Linong”, performs the following:

  • creates 600 empty directories �:LINONG I LOVE YOU MY FOLDER%n (where
    %n is number from 1 to 600)

  • creates its copies with the following names:

    %windows%mylinong.txt.shs
    %windows%SYSTEMKern32Lin.vbs
    %windows%Vbrun32DLL.vbs
    %windows%SYSTEMmylinong.TXT.vbs

  • and registers a non-existing file in the system registry:

    HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices
    Vbrun32DLL = %windows%Win32DLL.vbs

    The worm then creates an HTA file and opens it, which, as a result, displays the text:

    I Love You
    Linong
    You are the love of my love, 5173n1n3ty31gh7
    Almost One Year.., Miss U
    01*29**879
    01*29**868
    *-*