Method Infection
- %Windows%\lsass.exe
- %Windows%\
.exe (the worm creates 3 copies of itself with different filenames that follow this format) - %System%\
\ .cmd - %System%\
>.exe
It also creates the following files:
- %Windows%\cypreg.dll
- %Windows%\moonlight.dll
- %System%\systear.dll - data file used to store the random filename.
- %Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe - %Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe - %Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe - %Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd - %Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe - %Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\ .com - %Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\ .exe - %Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip
The following registry modifications are made in order to ensure that the worm is executed:
- HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD = ""%Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\ .com""
- HKCU\Software\Microsoft\Windows\CurrentVersion\RUN\
= "%System%\<random 14 characters>.exe"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, "%Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\ .exe""
- HKLM\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell = "
l.exe"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "%Windows%\
.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd"
- HKLM\Software\Microsoft\Windows\CurrentVersion\RUN\
= "%Windows%\ .exe"
- \Documents and Settings\
My Documents\My Pictures\My Pictures.exe - \Documents and Settings\
\My Documents\My Music\My Music.exe
The worm makes several additional registry modifications that are not critical to its replication:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden = 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = 1
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0
- HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\UncheckedValue = 0
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig = 1
- HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableSR = 1
- HKCR\exefile\(Default) SUCCESS "File Folder"
- HKCR\scrfile\(Default) SUCCESS "File Folder"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "%Windows%\notepad.exe"
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "%Windows%\notepad.exe"
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 0
The worm uses the File Folder icon.
Copies of the worm, as many as 10, are inserted into ZIP files found in the infected system. The inserted filenames are selected from below:
- RealPlayer13-5GOLD.exe
- Icon Cool-Editor 3.4.30315.exe
- CheatEngine52.exe
- framework-4.4.exe
- Vista Transformation Pack 4.0.exe
- Pack_Vista_Inspirat_1.6.exe
- DeepUnfreezerU1.6.exe
- Pack_Longhorn_Inspirat_1.6_code32547.exe
- TeamViewer_Setup.exe
- License.exe
Method of Distribution
Via Email
The worm spreads via e-mail with a variable Subject and Message Body. The attachment also uses a variable filename and extension. The From address is 'spoofed', chosen from e-mail collected from the affected system. The e-mail address of the infected user is also used.
E-mail sent by the worm have the following characteristics:
Possible Subjects:
- miss Indonesian
- Cek This
- hello
- Japannes Porn
- xxx
Possible Message Bodies:
- hey Indonesian porn
- Agnes Monica pic's
- Fucking With Me :D
- sisilia
- Hilda
- please read again what i have written to you
- Hot ...
The attachment is a ZIP file that contains one executable with a filename selected from this list:
- Licence.exe
- Pictures.exe
- Secret.exe
- Documents.exe
- Vivid.exe
- update.exe
- XXX.exe
- cool.exe
- vitae.exe
- error.exe
The ZIP filename consists of a string selected from this list, following by a random number:
- Miyabi
- nadine
- hell
- video
- Doc
- file
- thisfile
- need you
- Agnes
- Ami
- Anata
- Anton
- Cicilia
- Claudia
- CoolMan
- Davis
- Emily
- Firmansyah
- Fransisca
- Fransiska
- Fria
- HellSpawn
- Joe
- Joko
- Julia
- JuwitaNingrum
- Lanelitta
- Lia
- Linda
- Nana
- Natalia
- Riri
- Rita
- sasuke
- SaZZA
- Susi
- Titta
- Valentina
- Vivi
The spoofed domain names are:
- hackersmail.com
- hotmail.com
- gmail.com
- msn.com
- yahoo.com.sg
- Lovemail.com
The worm collects email addresses to send itself to by searching files on all local fixed drives. It searches in any files with the following extensions:
- txt
- tml
- asp
- php
- rtf
- eml
- .pl
- spx
- .js
It avoids using addresses containing any of the following strings:
- security
- avira
- norman
- norton
- panda
- mcafee
- Syman
- sophos
- Trend
- vaksin
- novell
- virus
A copy of the worm is written to the root of all mapped drives, and ZIP files found on the drive, using one of these filenames:
- RealPlayer13-5GOLD.exe
- Icon Cool-Editor 3.4.30315.exe
- CheatEngine52.exe
- framework-4.4.exe
- Vista Transformation Pack 4.0.exe
- Pack_Vista_Inspirat_1.6.exe
- DeepUnfreezerU1.6.exe
- Pack_Longhorn_Inspirat_1.6_code32547.exe
- TeamViewer_Setup.exe
Via Network Shares
A copy of the worm is written to all subfolders, using the subfolder name as the filename, on all network shares to which the affected user has write access. For example, with a target subdirectory of \MyDocs, \Mydocs\MyDocs.exe is created.
If the network share is found to contain the Windows directory, the worm creates a subdirectory "moon" off the root of the network share. It then creates two files:
- Elitta.htt
- moonlight.exe
Payload
Before the worm takes any further actions, it checks http://www.google.com/ to determine whether the affected system has Internet access.
Deletes Services
The worm attempts to delete these NT services (these services are components of Norman Virus Control):
- nipsvc
- Norman NJeeves
- nvcoas
Norman Zanda
Deletes Registry Values
The worm deletes these registry values from
HKCU\Software\Microsoft\Windows\CurrentVersion\run and HKLM\Software\Microsoft\Windows\CurrentVersion\run:
- ADie suka kamu
- AllMyBallance
- Alumni Smansa
- AutoSupervisor
- avgnt
- BabelPath
- Bron-Spizaetus
- CueX44_stil_here
- dago
- dkernel
- DllHost
- Driver
- drv_st_key
- Grogotix
- lexplorer
- MomentEverComes
- MSMSG
- norman zanda
- norman_zanda
- Pluto
- Putri_Bangka
- Putri_Indonesia
- SaTRio ADie X
- service
- SMA_nya_Artika
- SMAN1_Pangkalpinang
- SysDiaz
- SysRia
- SysYuni
- Task
- templog
- Tok-Cirrhatus
- TryingToSpeak
- ViriSetup
- Winamp
- winfix
- WinUpdateSupervisor
- Word
- YourUnintended
- YourUnintendes
Delete Files
Selected files are deleted from Desktop, Favorities, Application Data, Startup and Windows folder. The correct path to the folders are identified by calling system API, so the function is language independent. Examples shown below are from English Windows:
- \Documents and settings\
\Desktop\windows*
- \Documents and settings\
\Favorites\*.exe
- \Documents and settings\
\Favorites\*.vbs
- \Documents and settings\
\Local Settings\Application Data\*.exe
- \Documents and settings\
\Start Menu\Programs\Startup\*.pif
- \Documents and settings\
\Start Menu\Programs\Startup\Romantic*
- %WinDir%\MyHeart.exe
- %WinDir%\KesenjanganSosial.exe
- %WinDir%\FirstLove.exe*
- %WinDir%\eksplorasi*
- %WinDir%\CintaButa*
- %WinDir%\ShellNew\*.exe
Source: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=61987