Сетевой резидентный червь, распространяющийся по электронной почте. Распространяется через архивную копию в почтовых вложениях.
Описание от Trend Micro:
Installation and Autostart Techniques
Upon execution, this memory-resident worm drops a copy of itself in the Windows system folder as LSESS.EXE.
It also drops the following non-malicious files in the Windows system folder:
- zlib.dll - a .DLL file used in compressing/decompressing of files
- ansmtp.dll - a Simple Mail Transfer Protocol (SMTP) engine
It creates the following registry entries to enable itself to run at every Windows startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
lsess = "%System%\lsess.exe"
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and 2003.)
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\RunServicesOnce
lsess = "%System%\lsess.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
lsess = "%System%\lsess.exe"
It also has shell spawning mechanism that enables it to execute whenever text files are opened. It does this by creating the following registry entry:
HKEY_CLASSES_ROOT\txtfile\shell\open\command
@ = "%System%\lsess.exe %1"
Propagation Via Email
This worm propagates by sending email messages with a zipped copy of itself as an attachment. The email that it sends out has the following details:
Subject: (any of the following)
• Administration
• approved
• Bad Request
• corrected
• Delivery Protection
• Delivery Server
• Encripted Mail
• Error
• Extended Mail
• Extended Mail System
• Failure
• hello
• important
• improved
• Mail Authentification
• Mail Server
• Notify
• patched
• Protected Mail Delivery
• Protected Mail Request
• Protected Mail System
• read it immediately
• Secure delivery
• Secure SMTP Message
• SMTP Server
• Status
• Thank you for delivery
• Thanks!
Message Body: (a combination of the following message strings)
• +++ Attachment: No Virus found
• +++ Bitdefender AntiVirus - www.bitdefender.com
• +++ Kaspersky AntiVirus - www.kaspersky.com
• +++ MC-Afee AntiVirus - www.mcafee.com
• +++ MessageLabs AntiVirus - www.messagelabs.com
• +++ Panda AntiVirus - www.pandasoftware.com
• ++++ F-Secure AntiVirus - www.f-secure.com
• ++++ Norman AntiVirus - www.norman.com
• ++++ Norton AntiVirus - www.symantec.de
• Authentication required.
• Bad Gateway: The message has been attached.
• Delivered message is attached.
• Encrypted message is available.
• ESMTP [Secure Mail System #334]: Secure message is attached.
• First part of the secure mail is available.
• Follow the instructions t read the message.
• For further details see the attachment.
• For more details see the attachment.
• Forwarded message is available.
• I have attached your document.
• I have received your document. The corrected document is attached.
• New message is available.
• Now a new message is available.
• Partial message is available. Waiting for a Response. Please read the attachment.
• Please authenticate the secure message.
• Please confirm my request.
• Please confirm the document.
• Please read the attached file!
• Please read the attached file!
• Please read the attachment t get the message.
• Please read the document.
• Please read the important document.
• Please see the attached file for details.
• Protected Mail System Test.
• Protected message is attached.
• Protected message is available.
• Requested file.
• Secure Mail System Beta Test.
• See the file.
• SMTP: Please confirm the attached message.
• Waiting for authentification.
• You got a new message.
• You have received an extended message. Please read the instructions.
• Your details.
• Your document is attached t this mail.
• Your document is attached.
• Your document.
• Your file is attached.
• Your requested mail has been attached.
Attachment: (any of the following)
• data.zip
• details.zip
• document.zip
• message.zip
• msg.zip
• readme.zip
(The attached .ZIP file contains any of the following files)
• Data.txt{spaces}.exe
• Delails.doc{spaces}.exe
• Document.txt{spaces}.exe
• Readme.txt{spaces}.exe
This worm searches for target email address from files having the following extension names:
- CFG
- CGI
- DBX
- DHTM
- DOC
- EML
- HTM
- JSP
- MBX
- MDX
- MHT
- MMF
- MSG
- NCH
- ODS
- OFT
- PHP
- PPT
- RTF
- SHT
- SHTM
- STM
- TBB
- TXT
- UIN
- VBS
- WAB
- WSH
- XLS
- XML
However, it avoids email addresses that have the following strings:
- @antivir
- @f-pro
- @freeav
- @f-secur
- @kaspersky
- @mcafee
- @messagel
- @microsof
- @norman
- @norton
- @pandasof
- @skynet
- @sophos
- @spam
- @symatec
- @viruslist
- abuse@
- noreply@
- ntivir
- reports@
- spam@
Antivirus Retaliation
This worm has the ability to terminate the following programs that are related to antivirus and security programs:
- _avp32.exe
- _avpcc.exe
- _avpm.exe
- ackwin32.exe
- ADVXDWIN
- alertsvc.exe
- ALOGSERV
- amon.exe
- AMON9X
- anti-trojan.exe
- antivir
- apvxdwin.exe
- ATCON
- ATUPDATER
- ATWATCH
- autodown.exe
- AutoTrace
- avconsol.exe
- ave32.exe
- AVGCC32
- avgctrl.exe
- AvgServ
- AVGSERV9
- avkpop
- AvkServ
- avkserv.exe
- avkservice
- avkwctl9
- Avnt.exe
- avp.exe
- avp32.exe
- avpcc.exe
- avpdos32.exe
- avpm.exe
- avpmon.exe
- avpnt.exe
- avptc32.exe
- avpupd.exe
- Avrep32.exe
- avsched32.exe
- avsynmgr.exe
- avwin95.exe
- AVWINNT
- avwupd32.exe
- AVXMONITOR9X
- AVXMONITORNT
- AVXQUAR
- blackd.exe
- blackice.exe
- BullGuard
- CCAPP.EXE
- cfgWiz
- cfiadmin.exe
- cfiaudit.exe
- cfind.exe
- cfinet.exe
- cfinet32.exe
- claw95.exe
- Claw95cf.exe
- claw95ct.exe
- cleaner.exe
- cleaner3.exe
- clrav.com
- CMGRDIAN
- CONNECTIONMONITOR
- CPDClnt
- defalert
- defscangui
- DEFWATCH
- DOORS
- dv95.exe
- dv95_o.exe
- dvp95.exe
- Dvp95_0.exe
- ecengine.exe
- EFINET32.EXE
- EFPEADM
- esafe.exe
- espwatch.exe
- ETRUSTCIPE
- EXPERT
- f-agnt95.exe
- f-prot.exe
- f-prot95.exe
- f-stopw.exe
- fameh32
- fch32
- fih32
- filemon.exe
- findviru.exe
- fnrb32
- fp-win.exe
- fprot.exe
- FPROT95.EXE
- frw.exe
- fsav32
- fsgk32
- fsm32
- fsma32
- fsmb32
- gbmenu
- GBPOLL
- GENERICS
- GUARD
- iamapp.exe
- iamserv.exe
- IAMSTATS
- IBMASN.EXE
- ibmavsp.exe
- icload95.exe
- icloadnt.exe
- icmon.exe
- icmoon.exe
- icssuppnt.exe
- icsupp95.exe
- Icsuppnt.exe
- iface.exe
- iomon98.exe
- ISRV95
- jed.exe
- Jedi.exe
- kpf.exe
- KPFW32.EXE
- LDPROMENU
- LDSCAN
- lockdown2000.exe
- lockdownadvanced.exe
- lookout.exe
- luall.exe
- lucomserver.exe
- LUSPT
- mcafee
- MCAGENT
- MCMNHDLR
- MCTOOL
- MCUPDATE
- MCVSRTE
- MCVSSHLD
- MGHTML
- MINILOG
- Monitor.exe
- moolive.exe
- MPFSERVICE
- mpftray.exe
- msconfig.exe
- MWATCH
- n32scan.exe
- N32scanw.exe
- navapsvc.exe
- navapw32.exe
- NAVENGNAVEX15
- navlu32.exe
- navnt.exe
- navrunr.exe
- navsched.exe
- navw.exe
- navw32.exe
- navwnt.exe
- ndd32
- NeoWatchLog
- netutils
- nisserv.exe
- nisum.exe
- nmain.exe
- normist.exe
- notstart.exe
- npscheck
- npssvc
- nsched32.exe
- Nspclean.exe
- ntrtscan
- NTVDM
- NTXconfig
- nupgrade.exe
- nvc95.exe
- NVSVC32
- NWService
- NWTOOL16
- offguard.exe
- outpost.exe
- PADMIN
- padmin.exe
- pav.exe
- pavcl.exe
- pavmail.exe
- pavproxy
- Pavsched.exe
- Pavw.exe
- pcciomon.exe
- pccmain.exe
- pccwin97
- pccwin98.exe
- pcfwallicon.exe
- pcntmon
- pcscan
- per.exe
- perd.exe
- persfw.exe
- pertsk.exe
- perupd.exe
- pervac.exe
- pervacd.exe
- POP3TRAP
- POPROXY
- PORTMONITOR
- pqremove.com
- PROCESSMONITOR
- procexp
- PROGRAMAUDITOR
- pview95
- pview95.exe
- rapapp.exe
- rav7.exe
- rav7win.exe
- REALMON
- regedit.exe
- regedt32.exe
- regmon.exe
- rescue.exe
- RTVSCN95
- RULAUNCH
- safeweb.exe
- sbserv
- scan32.exe
- scan95.exe
- scanpm.exe
- scrscan.exe
- serv95.exe
- sfc.exe
- smc.exe
- sphinx.exe
- SPYXX
- SS3EDIT
- sweep95.exe
- SweepNet
- SWNETSUP
- SymProxySvc
- SYMTRAY
- taskmgr
- TAUMON
- tbscan.exe
- tca.exe
- TDS-3
- tds2-98.exe
- tds2-nt.exe
- th.exe
- th32.exe
- th32upd.exe
- thav.exe
- thd.exe
- thd32.exe
- thmail.exe
- vbcmserv
- VbCons
- VCONTROL.EXE
- VET32.EXE
- vet95.exe
- vet98.exe
- vettray.exe
- VPC32
- Vscan40.exe
- vsecomr.exe
- vshwin32.exe
- VSMAIN
- vsmon
- vsscan40.exe
- vsstat.exe
- WATCHDOG
- webscan.exe
- webscanx.exe
- WEBTRAP
- wfindv32.exe
- WGFE95
- WIMMUN32
- WrAdmin
- WrCtrl
- ZAP.EXE
- ZAPD.EXE
- ZAPPRG.EXE
- zapro.exe
- ZAPS.EXE
- ZCAP.EXE
- zonealarm.exe
Other Details
This worm drops the following zipped copies of itself on the affected system:
- Credit Card.zip
- Edonkey 1.1.zip
- Emoticons MSN.zip
- Hotmail Passwords HOWTO.me.zip
- Norton Antivirus.zip
- Overnet Full.zip
- Windows Commander.zip
- Windows XP Activate.zip
- Winzip Cracked.zip
It drops the said files in folders that have any of the following strings in their names:
- compart
- download
- incoming
- share
- shared
Platforms
This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.