Parent class: VirWare
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:- file viruses
- boot sector viruses
- macro viruses
- script viruses
Class: Email-Worm
Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website). In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated. Email-Worms use a range of methods to send infected emails. The most common are: using a direct connection to a SMTP server using the email directory built into the worm’s code using MS Outlook services using Windows MAPI functions. Email-Worms use a number of different sources to find email addresses to which infected emails will be sent: the address book in MS Outlook a WAB address database .txt files stored on the hard drive: the worm can identify which strings in text files are email addresses emails in the inbox (some Email-Worms even “reply” to emails found in the inbox) Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.Read more
Platform: Win32
Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.Description
Technical Details
This is an Win32 e-mail worm. The worm has two components:
The main worm component sends itself to other machines attached to e-mails as an EXE file that may have 16 different names (see below). While spreading, it uses MAPI to connect to an e-mailer.
The main component also drops an additional VBS script helper (local network worm) to a local disk and spawns it.
Main Component
When an infected file starts (being activated by a user from an infected message or from any other source), the worm copies itself into the Windows directory with "PCpower.exe" and into the Windows system directory with the "MyLinong.exe" name. The worm then drops the "MyLinong.VBS" file (VBS helper) into the Windows system directory.
These files are then registered in the system registry auto-run keys:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
PCPower = %windir%PCpower.exe
MyLinong = %winsystemdir%MyLinong.exe
Linong = %winsystemdir%MyLinong.vbs
The EXE files are two worm copies, and they will be activated by Windows upon each restart. The VBS file is a VisualBasic script program (see below).
Spreading
To spread, the worm scans the Inbox for the 50 first messages, obtains messages that have at least one attached file, and replies with an infected message. The infected message has a Subject, Body and Attached file that is randomly selected from 16 variants:
Attached file names:
CFusion.Exe
PatchFusion.exe
MyLinong.Exe
Light up the night.exe
StarMild.exe
Kiss.Exe
Sexy.Exe
Popeye.exe
Olive.exe
BullBull.exe
Moly.exe
Lovely.exe
868879.exe
help.exe
BillGate
Mikropos
Subjects:
Info From CFusion
Patch Your CFusion
Still Remember You
Light Up The Night
Man Choice
Kiss Me
Sexy Model
Popeye Cartoon
Olive & Popeye
MyGirlFriend Dogs
My Girl Friend' Dogs
Sweet Lovely
Password
Need Help
Bill
Mikropos
Message bodies:
You can update your Cfusion Online For Free
Are You Ready Fix Your Cfusion,Please Update
She is MY sexy Linong
Light up The Night PARTY...
Are You Man or women. This is The sponsor from our site The man choice
100 way to kiss your GirlFriend or your boyfriend
Did you ever see the sexy girls like her
The New Popeye New Cartoon NetWork
Olive And Popeye Cartoon
Nice dog...
Good Dog and Smart dogs
My Icq Friend Sweet and Lovely
Here The list of Nude Password Website. All of them Still Active, and few of them are death password
Do you need help ? to get money over the internet. You can read the help
Bill..
The New Mikropos Software From Mikropos Network
Payload
The worm creates the following directories:
"C:Linong I Love U So Much Linong For ever My Love%n"
where %n are numbers from 0 to 500 (in some cases, the worm fails to create directories, so the upper limit of directory number may be less than 500).
The worm displays the following messages:
Message From Me
Happy Birthday To MyLinong
Still Remember Me...
Today I want tell you Once again that
I LOVE U SO MUCH LINONG
Hey user, Please Help me to Tell the world
That I Love Her So Much
Hi..Nong..I Love You So much.
But today we must Say GoodBye For ever
I wait U in the next Life, and Remember I Love You So Much
VBS Helper
This is a modification of the VBS e-mail worm "I-Worm.Linong" and works as a helper to the main EXE component.
When it is run by Windows (because it is registered in registry Run= key), it obtains the IP address of the local machine, and then scans the sub-net (for example, if the local machine's IP is 10.10.10.1, the worm will try to connect to all machines by using addresses 10.10.10.n, where 'n' is a number from 1 to 254).
In the case there are machines with such addresses, the worm tries to gain access to their C: drives and copy itself there to the following directories:
"C:"
"C:windowsstartm~1programsstartup"
"C:windows"
"C:windowsstart menuprogramsstartup"
(there is a bug in this routine, and the worm fails to perform this).
The worm then tries to send its EXE component from the infected machines, with the messages containing the following:
Subject: One of this mail
Body: True Story....
Attach: mylinong.exe
(this routine has a bug too, and the worm fails to spread itself).
The worm then, as well as "I-Worm.Linong", performs the following:
%windows%mylinong.txt.shs
%windows%SYSTEMKern32Lin.vbs
%windows%Vbrun32DLL.vbs
%windows%SYSTEMmylinong.TXT.vbs
HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices Vbrun32DLL = %windows%Win32DLL.vbsThe worm then creates an HTA file and opens it, which, as a result, displays the text:
I Love You
Linong
You are the love of my love, 5173n1n3ty31gh7
Almost One Year.., Miss U
01*29**879
01*29**868
*-*
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com