Сетевой резидентный червь, распространяющийся по электронной почте. Распространяется через архивную копию в почтовых вложениях.
Сетевой резидентный червь, распространяющийся по электронной почте. Распространяется через архивную копию в почтовых вложениях.
Описание от Trend Micro:
Installation and Autostart Techniques
Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as LSESS.EXE.
It also drops the following non-malicious files in the Windows system folder:
It creates the following registry entries to enable itself to run at every Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
lsess = "%System%\lsess.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and 2003.)
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunServicesOnce
lsess = "%System%\lsess.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
lsess = "%System%\lsess.exe"
It also has shell spawning mechanism that enables it to execute whenever text files are opened. It does this by creating the following registry entry:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
@ = "%System%\lsess.exe %1"
Propagation Via Email
This worm propagates by sending email messages with a zipped copy of itself as an attachment. The email that it sends out has the following details:
Subject: (any of the following)
• Administration
• approved
• Bad Request
• corrected
• Delivery Protection
• Delivery Server
• Encripted Mail
• Error
• Extended Mail
• Extended Mail System
• Failure
• hello
• important
• improved
• Mail Authentification
• Mail Server
• Notify
• patched
• Protected Mail Delivery
• Protected Mail Request
• Protected Mail System
• read it immediately
• Secure delivery
• Secure SMTP Message
• SMTP Server
• Status
• Thank you for delivery
• Thanks!
Message Body: (a combination of the following message strings)
• +++ Attachment: No Virus found
• +++ Bitdefender AntiVirus - www.bitdefender.com
• +++ Kaspersky AntiVirus - www.kaspersky.com
• +++ MC-Afee AntiVirus - www.mcafee.com
• +++ MessageLabs AntiVirus - www.messagelabs.com
• +++ Panda AntiVirus - www.pandasoftware.com
• ++++ F-Secure AntiVirus - www.f-secure.com
• ++++ Norman AntiVirus - www.norman.com
• ++++ Norton AntiVirus - www.symantec.de
• Authentication required.
• Bad Gateway: The message has been attached.
• Delivered message is attached.
• Encrypted message is available.
• ESMTP [Secure Mail System #334]: Secure message is attached.
• First part of the secure mail is available.
• Follow the instructions t read the message.
• For further details see the attachment.
• For more details see the attachment.
• Forwarded message is available.
• I have attached your document.
• I have received your document. The corrected document is attached.
• New message is available.
• Now a new message is available.
• Partial message is available. Waiting for a Response. Please read the attachment.
• Please authenticate the secure message.
• Please confirm my request.
• Please confirm the document.
• Please read the attached file!
• Please read the attached file!
• Please read the attachment t get the message.
• Please read the document.
• Please read the important document.
• Please see the attached file for details.
• Protected Mail System Test.
• Protected message is attached.
• Protected message is available.
• Requested file.
• Secure Mail System Beta Test.
• See the file.
• SMTP: Please confirm the attached message.
• Waiting for authentification.
• You got a new message.
• You have received an extended message. Please read the instructions.
• Your details.
• Your document is attached t this mail.
• Your document is attached.
• Your document.
• Your file is attached.
• Your requested mail has been attached.
Attachment: (any of the following)
• data.zip
• details.zip
• document.zip
• message.zip
• msg.zip
• readme.zip
(The attached .ZIP file contains any of the following files)
• Data.txt{spaces}.exe
• Delails.doc{spaces}.exe
• Document.txt{spaces}.exe
• Readme.txt{spaces}.exe
This worm searches for target email address from files having the following extension names:
However, it avoids email addresses that have the following strings:
Antivirus Retaliation
This worm has the ability to terminate the following programs that are related to antivirus and security programs:
Other Details
This worm drops the following zipped copies of itself on the affected system:
It drops the said files in folders that have any of the following strings in their names:
Platforms
This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.