Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Linong.A@mm

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published 26 Jun 2001 03:00:00
Description created 26 Jun 2001 03:00:00
Description updated 12 Nov 2001 05:16:00
Malware type WORM
Alias VBS/LoveLetter.CQ@mm
Spreading mechanism EMAIL
NETWORK
Summary None

W32/Linong.A@mm

Spreading

The subject, body and attachment mentioned above is when the email is sent by the VBS script.These are the characteristics of the email when the email is sent by the executable (Possible subject lines, bodies and attachments):Info From CFusion, You can update your CFusion Online For Free,CFusion.exePatch Your CFusion, Are You Ready Fix Your CFusion,Please UpdatePatchFusion.exeStill Remember You,She is MY sexy Linong,MyLinong.exeLight Up The Night, Light up The Night PARTY...,Light up the night.exeMan Choice,Are You Man or women. This is The sponsor from our site The man choiceStarMild.exeKiss Me100 way to kiss your GirlFriend or your boyfriendKiss.exeSexy ModelDid you ever see the sexy girls like herSexy.exePopeye CartoonThe New Popeye New Cartoon NetWorkPopexe.exeOlive & PopeyeOlive And Popeye CartoonOlive.exeMyGirlFriend DogsNice dog...BullBull.exeMy Girl Friend' DogsGood Dog and Smart dogsMoly.exeSweet LovelyMy Icq Friend Sweet and LovelyLovely.exePasswordHere The list of Nude Password Website. All of them Still Active, and few of them are death password868879.exeNeed HelpDo you need help ? to get money over the internet. You can read the helpHelp.exeBillBill..BillGateMikroposThe New Mikropos Software From Mikropos NetworkMikroposExecutable partWhen the executable is started, it will copy itself to the following files :\PCPower.exe\MyLinong.exeA VB Script file, mylinong.vbs, will also be written to the Windows system folder. All these files will be pointed to from the Registry keyHKEY_LOCAL_MACHINE\Software\Windows\Currentversion\Runin such a way that they are started during bootup.In addition, one file will be copied to the Windows' system directory with a random name according to the list above, and will be attempted emailed to all users in the Outlook address book.After this it creates 501 directories, all located on C:\ and all called Linong I Love U So Much Linong For ever My LoveX - where the X denotes a number from 0 to 500.VB Script part (VBS/Loveletter.CQ):The script is stored in the Windows' system directory, and is pointed to by the Registry in such a way that it is run from startup.The script does several things:It copies itself to the following files:\mylinong.jpg.shs\Kern32Lin.vbs\Vbrun32DLL.vbs\mylinong.jpg.vbsIt will set the following keys in the registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ Kern32lLin \Kern32Lin.vbsHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ Vbrun32DLL \vbrun32DLL.vbsHKCU\Software\Microsoft\Internet Explorer\Main\Start Page\ http://www.thewebpost.com/lovepoems/1198/dpt112098ily.shtmlThe script attempts from the second time it is run) to send the original exe file over email to all users in all address books as mentioned above. It will normally only attempt to do this once to each address.In addition to email, the worm generates random IP addresses and attempts to connect to these. If the machines with these IP addresses have shared C: drives that allow write access, the worm will attempt to copy itself (as linong.vbs) to the root, windows and startup folders of the remote machine. It will however not copy the executable file, so the emailing routine will fail.The script also creates a lot of directories (600) on the machine where it is run. These directories will be deleted when the worm goes inactive after 14 days.

Payload Details

Every other day the worm attempts to show the message below:


(Image not available)



Analysis

n/a

Removal

Manual removal is possible by deleting all worm files and the created directories.


Last Updated: 12 Nov 2015 11:06:10