Sicurezza IT proattiva
- SandBox Information Center
- Malware Analysis Search
- Articoli sulla sicurezza
- Blog sulla sicurezza [EN]
- Livello di pericolosità [EN]
- Minacce attuali di virus
- Tipi di malware [EN]
- Descrizione dei virus [EN]
- Statistiche sulla posta elettronica [EN]
- Testi, white paper generici ed altro
- La tecnologia Norman
W32/Linong.A@mm
Threat risk
Threat risk low
|
Detection files published:
27 Jun 2001 |
Description created:
2001-06-27 |
Description updated:
2001-11-12 |
|
Alias:
VBS/LoveLetter.CQ@mm |
Spreading mechanism
Email, Network | |
|
Payload:
| ||
Summary
This is an email worm and a network crawler.Spreading description
Email characteristics:
Subject: One of this mail
Body: True Story?
Attachment: mylinong.exe
These are the characteristics of the email when the email is sent by the executable (Possible subject lines, bodies and attachments):
- Info From CFusion,
You can update your CFusion Online For Free,
CFusion.exe - Patch Your CFusion,
Are You Ready Fix Your CFusion,Please Update
PatchFusion.exe - Still Remember You,
She is MY sexy Linong,
MyLinong.exe - Light Up The Night,
Light up The Night PARTY...,
Light up the night.exe - Man Choice,
Are You Man or women. This is The sponsor from our site The
man choice
StarMild.exe - Kiss Me
100 way to kiss your GirlFriend or your boyfriend
Kiss.exe - Sexy Model
Did you ever see the sexy girls like her
Sexy.exe - Popeye Cartoon
The New Popeye New Cartoon NetWork
Popexe.exe - Olive & Popeye
Olive And Popeye Cartoon
Olive.exe - MyGirlFriend Dogs
Nice dog...
BullBull.exe - My Girl Friend' Dogs
Good Dog and Smart dogs
Moly.exe - Sweet Lovely
My Icq Friend Sweet and Lovely
Lovely.exe - Password
Here The list of Nude Password Website. All of them Still Active, and few of them are death password
868879.exe - Need Help
Do you need help ? to get money over the internet. You can read the help
Help.exe - Bill
Bill..
BillGate - Mikropos
The New Mikropos Software From Mikropos Network
Mikropos
Executable part
When the executable is started, it will copy itself to the following files :
\PCPower.exe \MyLinong.exe
A VB Script file, mylinong.vbs, will also be written to the Windows system folder. All these files will be pointed to from the Registry key
HKEY_LOCAL_MACHINE\Software\Windows\Currentversion\Run
in such a way that they are started during bootup.
In addition, one file will be copied to the Windows' system directory with a random name according to the list above, and will be attempted emailed to all users in the Outlook address book.
After this it creates 501 directories, all located on C:\ and all called Linong I Love U So Much Linong For ever My LoveX - where the X denotes a number from 0 to 500.
VB Script part (VBS/Loveletter.CQ):
The script is stored in the Windows' system directory, and is pointed to by the Registry in such a way that it is run from startup.
The script does several things:
It copies itself to the following files:
It will set the following keys in the registry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
Kern32lLin\Kern32Lin.vbs
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
Vbrun32DLL\vbrun32DLL.vbs
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page\
http://www.thewebpost.com/lovepoems/1198/dpt112098ily.shtml
The script attempts from the second time it is run) to send the original exe file over email to all users in all address books as mentioned above. It will normally only attempt to do this once to each address.
In addition to email, the worm generates random IP addresses and attempts to connect to these. If the machines with these IP addresses have shared C: drives that allow write access, the worm will attempt to copy itself (as linong.vbs) to the root, windows and startup folders of the remote machine. It will however not copy the executable file, so the emailing routine will fail.
The script also creates a lot of directories (600) on the machine where it is run. These directories will be deleted when the worm goes inactive after 14 days.
Threat description
Every other day the worm attempts to show the message below:
Removal
Manual removal is possible by deleting all worm files and the created directories.
General information about removal of malicious software
Norman's antivirus products are in general able to remove all malicious software that is detected.
Some malware, however, uses techniques that the general product does not remove sufficiantly. We have therefore developed the free product Norman Malware Cleaner. Please use the latest version of this program from the link below - if your Norman antivirus is unable to clean-up the infection.
| Utilizzo | Titolo | Commento |
|---|---|---|
| Blocco dei virus che infettano le condivisioni di rete | ||
| Cleaning of back-up folders on Windows Me and XP |