Description
Win32/Lightmoon.M is a worm that spreads via email and network shares. It makes trivial changes to its PE header as it replicates in order to evade detection methods such as MD5 matching.
Method Infection
When executed, the worm makes many copies of itself on the affected system and drops several additional component files. It creates the follwing copies:
- %Windows%\lsass.exe
- %Windows%\.exe (the worm creates 3 copies of itself with different filenames that follow this format)
- %System%\\.cmd
- %System%\>.exe
Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP and Vista is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.
It also creates the following files:
- %Windows%\cypreg.dll
- %Windows%\moonlight.dll
- %System%\systear.dll - data file used to store the random filename.
A folder with Recycle Bin attributes is created to store more copies of the worm:
The following registry modifications are made in order to ensure that the worm is executed:
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD = ""%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.com""
- HKCU\Software\Microsoft\Windows\CurrentVersion\RUN\ = "%System%\<random 14 characters>.exe"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, "%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\.exe""
- HKLM\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell = "l.exe"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "%Windows%\.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd"
- HKLM\Software\Microsoft\Windows\CurrentVersion\RUN\ = "%Windows%\.exe"
The worm also creates a copy of itself in each subfolder under My Documents, using the same name as the subfolder it is created in, for example:
- \Documents and Settings\My Documents\My Pictures\My Pictures.exe
- \Documents and Settings\\My Documents\My Music\My Music.exe
The worm makes several additional registry modifications that are not critical to its replication:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = 1
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\UncheckedValue = 0
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig = 1
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 1
- HKCR\exefile\(Default) SUCCESS "File Folder"
- HKCR\scrfile\(Default) SUCCESS "File Folder"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "%Windows%\notepad.exe"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "%Windows%\notepad.exe"
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 0
The worm uses the File Folder icon.
Copies of the worm, as many as 10, are inserted into ZIP files found in the infected system. The inserted filenames are selected from below:
- Icon Cool-Editor 3.4.30315.exe
- Vista Transformation Pack 4.0.exe
- Pack_Vista_Inspirat_1.6.exe
- Pack_Longhorn_Inspirat_1.6_code32547.exe
Method of Distribution
Via Email
The worm spreads via e-mail with a variable Subject and Message Body. The attachment also uses a variable filename and extension. The From address is 'spoofed', chosen from e-mail collected from the affected system. The e-mail address of the infected user is also used.
E-mail sent by the worm have the following characteristics:
Possible Subjects:
Possible Message Bodies:
- please read again what i have written to you
The attachment is a ZIP file that contains one executable with a filename selected from this list:
The ZIP filename consists of a string selected from this list, following by a random number:
The sender address may be "spoofed" using one of these names and domains in addition to those collected from the affected system:
The spoofed domain names are:
The worm collects email addresses to send itself to by searching files on all local fixed drives. It searches in any files with the following extensions:
It avoids using addresses containing any of the following strings:
Via Mapped Drives A copy of the worm is written to the root of all mapped drives, and ZIP files found on the drive, using one of these filenames:
- Icon Cool-Editor 3.4.30315.exe
- Vista Transformation Pack 4.0.exe
- Pack_Vista_Inspirat_1.6.exe
- Pack_Longhorn_Inspirat_1.6_code32547.exe
Via Network Shares
A copy of the worm is written to all subfolders, using the subfolder name as the filename, on all network shares to which the affected user has write access. For example, with a target subdirectory of \MyDocs, \Mydocs\MyDocs.exe is created.
If the network share is found to contain the Windows directory, the worm creates a subdirectory "moon" off the root of the network share. It then creates two files:
Desktop.ini is then modified to activate "
Elitta.htt", which in turn executes "
moonlint.exe".
PayloadBefore the worm takes any further actions, it checks http://www.google.com/ to determine whether the affected system has Internet access.
Deletes Services
The worm attempts to delete these NT services (these services are components of Norman Virus Control):
Norman Zanda
Deletes Registry Values
The worm deletes these registry values from
HKCU\Software\Microsoft\Windows\CurrentVersion\run and HKLM\Software\Microsoft\Windows\CurrentVersion\run:
Delete Files
Selected files are deleted from Desktop, Favorities, Application Data, Startup and Windows folder. The correct path to the folders are identified by calling system API, so the function is language independent. Examples shown below are from English Windows:
- \Documents and settings\\Desktop\windows*
- \Documents and settings\\Favorites\*.exe
- \Documents and settings\\Favorites\*.vbs
- \Documents and settings\\Local Settings\Application Data\*.exe
- \Documents and settings\\Start Menu\Programs\Startup\*.pif
- \Documents and settings\\Start Menu\Programs\Startup\Romantic*
- %WinDir%\KesenjanganSosial.exe
Source: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=61987