W32/Mapson@MM

This page shows details and results of our analysis on the malware W32/Mapson@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum DAT

4271 (2003-06-11)

Updated DAT

4271 (2003-06-11)

Minimum Engine

5400.1158

File Length

180,736 bytes

Description Added

2003-06-08

Description Modified

2003-06-11

Malware Proliferation

Characteristics

This worm attempts to spreads via email, icq, and the following peer-to-peer file sharing applications:
  • eDonkey2000
  • Gnuclues
  • Grokster
  • KaZaa
  • KaZaa Lite
  • Limewire
  • Morpheus
It may be received as an email message attachment with one of the following attachment names:
  • amigos.pif
  • amigototote.pif
  • amor-por-ti.pif
  • BigBrother.pif
  • bugmsn.pif
  • chistesgraficos.pif
  • chupamelo.pif
  • comotegustan.pif
  • CracksPPZ.pif
  • cristina-aguilera.pif
  • defaced-madonna-site.pif
  • eggbrother.exe
  • EICAX.COM
  • existeee.pif
  • financiamiento.pif
  • friends.pif
  • GEDZAC.PIF
  • grancarnal.exe
  • grande.pif
  • hackeahotmail.pif
  • historial.pif
  • hotmail.pif
  • kamasutra.pif
  • LatinCard.pif
  • linuxandmicrosoft.pif
  • Lorenaaaa.pif
  • Madonna_sEXY.pif
  • mamalo.pif
  • MariaVirgen.pif
  • Matrix-Trailer.pif
  • Msica.pif
  • No-Spam.exe
  • nuevovirus.txt       .pif
  • Oradores.pif
  • osamabinhuevoback.exe
  • parejaideal.txt.pif
  • petardas.pif
  • petardas.pif
  • porqueteamo.pif
  • projimo.pif
  • relacionsexual.pif
  • resetarios.pif
  • SARS.pif
  • seguridad_en_hotmail.pif
  • serhacker.pif
  • Shakira.pif
  • sindolor.pif
  • solo-a-ti.pif
  • Spamno.pif
  • teamo.exe
  • te-pido.scr
  • test-idiota.pif
  • testpasion.pif
  • thalialoca.pif
  • TutorialVBSvirus.pif
  • WindowsMediaPlayerBug.pif
  • www.mfernanda.com
  • www.vsantiviru.com
  • www.zonaviru.com
  • zorrotttas.pif
Peer-To-Peer propagation filenames include the following names, followed by .gif.exe:
  • Alejandra Guzman
  • Angelica Vale
  • Brenda
  • Britney Spears
  • Cameron dias
  • Celine Dion
  • Desnuda en la playa
  • Francini
  • Galilea Montijo
  • Halle berry
  • Kylie Minogue
  • las pelotas de
  • Laura Pausini
  • Lili Brillanti
  • Lorena
  • Nude Pic
  • Paulina Rubio
  • Pink
  • Sexo en la playa con
  • Sexy Beach
  • Shakira
  • Thalia
As well as the following names, followed by .exe:
  • Ad-aware
  • Adobe Acrobat Reader (32-bit)
  • AOL Instant Messenger (AIM)
  • Biromsoft WebCam
  • Copernic Agent
  • crack all versions
  • Cracked
  • Delphi 6
  • Diet Kaza
  • DirectDVD
  • DivX Video Bundle
  • Download Accelerator Plus
  • FireWorks 4
  • FIreWorks MX
  • Full version
  • Global DiVX Player
  • Grokster
  • ICQ Lite
  • ICQ Pro 2003a beta
  • iMesh
  • JetAudio Basic
  • Kaspersky Antivirus
  • Kazaa Download Accelerator
  • Kazaa Media Desktop
  • KeyGen
  • Matrix Movie
  • McAfee Antivirus
  • Microsoft Internet Explorer
  • Microsoft Office XP
  • Microsoft Windows 2003
  • Microsoft Windows Media Player
  • Morpheus
  • msn hack
  • MSN Messenger (Windows NT/2000)
  • Nero Burning ROM
  • NetPumper
  • Network Cable e ADSL Speed
  • Norton Antivirus
  • Office 2003
  • Panda Antivirus
  • PerAntivirus
  • Pop-Up Stopper
  • QuickTime
  • RealOne Free Player
  • Registry Mechanic
  • SnagIt
  • SolSuite 2003: Solitaire Card Games Suite
  • Spybot - Search & Destroy
  • Trillian
  • Virtual Girl Sofa
  • Visual Studio Net
  • Winamp
  • WinMX
  • WinRAR
  • WinZip
  • WS_FTP LE (32-bit)
  • XoloX Ultra
  • ZoneAlarm

Symptoms

- Presence of the aforementioned filenames in the WINDOWS SYSTEM directory (%SysDir%)
- The worm may also create the files c:\Lorraine.vxd, Lorraine.exe and a regeistry run key:
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    Run "SYSTEMSTART" = "Lorraine.exe"

- This worm creates an HTML file on the root of the C: drive named lorraine.hta. When accessed the following window is displayed:

Method of Infection

The worm harvests email addresses from the MSN Messenger.NET contact list. It sends itself to found recipients via HOTMAIL.COM. It copies itself to shared folders:

  • \KaZaA\My Shared Folder
  • \edonkey2000\incoming
  • \gnucleus\downloads
  • \icq\shared files
  • \kazaa lite\my shared folders\v
  • \limewire\shared
  • \morpheus\my shared folder
  • \Grokster\My Grokster

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants