W32/Lehs@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum DAT

4295 (2003-09-24)

Updated DAT

4376 (2004-07-14)

Minimum Engine

5.1.00

File Length

245,760 bytes

Description Added

2003-09-22

Description Modified

2003-09-22

Malware Proliferation

Characteristics

This virus is written in Visual Basic. It is intended to mail itself to recipients in the Outlook address book.

Proactive Detection: McAfee gateway products have detected this worm as a variant of W32/Generic.a@MM since 4252 DATs.

Mail Propagation

Outgoing messages are constructed using Outlook. They are constructed as follows:

From: Microsoft Support
Subject: DCOM RPC Vulnerability Patch
Body: Microsoft Corporation has issued a patch for the DCOM RPC vulnerability. The patch can be downloaded below named patch883653.exe

Installation

When executed on the victim machine, a series of message boxes are displayed:

[Welcome to W32.Shell.worm]

[This worm has used your computer as a server to spread itself to other computers, The main goal of any worm]

The virus copies itself to the system Startup folder as MicroCorp.exe, for example:

c:\WINDOWS\Start Menu\Programs\StartUp\MicroCorp.exe

The WIN.INI file is modified to hook system startup:

[WinZip]
"run" = %SystemRoot%\Sysrestore\Notepad.exe

The SYSTEM.INI file is modified to hook system startup:

[boot]
"run" = %SystemRoot%\Sysresore\Shell.exe

The AUTOEXEC.BAT file is modified, appending an instruction to launch the worm:

Start %SystemRoot%\Sysrestore\Notepad.exe

A directory of name SYSRESTORE is created within the Windows System and System32 directories. Multiple copies of the worm are copied here with misleading filenames:

C:\windows\System\Sysrestore
C:\windows\System32\Sysrestore
C:\Windows\System\Sysrestore\Restoreshell.exe
C:\Windows\system32\Sysrestore\Shell.exe
C:\Windows\system32\Sysrestore\MSIinstall.exe
C:\Windows\system32\Sysrestore\WINcom.exe
C:\Windows\system32\Sysrestore\KERNEL32.exe
C:\Windows\system32\Sysrestore\Notepad.exe
C:\Windows\system32\Sysrestore\Kern16.exe
C:\Windows\system32\Sysrestore\Win-16_BIT.exe
C:\Windows\System\Sysrestore\MSIshell.exe
C:\Windows\System\Sysrestore\WIN_16-Bit.exe
C:\Windows\System\Sysrestore\Kernel32.exe
C:\Windows\System\Sysrestore\KERNEL32.dll
C:\Windows\System\Sysrestore\Notepad.exe
C:\Windows\System\Sysrestore\MSIinstall.exe
C:\Windows\System\Sysrestore\Windows.exe
C:\Windows\System\Sysrestore\reInstall.exe
C:\Windows\System\Sysrestore\MicroPackage.exe
C:\Windows\System\Sysrestore\Dage.exe
C:\Windows\System\Sysrestore\Gadeth.exe
C:\Windows\System\Sysrestore\Ndad.exe
C:\Windows\System\Sysrestore\Patch.exe
C:\Windows\System\Sysrestore\Patchda82653.exe
C:\Windows\System\Sysrestore\Patch8ba82653.exe
C:\Windows\System\Sysrestore\Patch882he653.exe
C:\Windows\System\Sysrestore\Patch882ad653.exe
C:\Windows\System\Sysrestore\Patch88a2653.exe
C:\Windows\System\Sysrestore\Patch88gadh2653.exe
C:\Windows\System\Sysrestore\Patch8826ad53.exe
C:\Windows\System\Sysrestore\Patch882hae653.exe
C:\Windows\System\Sysrestore\Patch8822d653.exe
C:\Windows\System\Sysrestore\Patch8a82653.exe
C:\Windows\System\Sysrestore\Patch8agd82653.exe
C:\Windows\System\Sysrestore\Patch8da82653.exe
C:\Windows\System\Sysrestore\Patch88ba2653.exe
C:\Windows\System\Sysrestore\Patch88asdf2653.exe
C:\Windows\System\Sysrestore\Patch88abad2653.exe
C:\Windows\System\Sysrestore\Patch882da653.exe
C:\Windows\System\Sysrestore\Patch88ads2653.exe
C:\Windows\System\Sysrestore\Patch8826da53.exe
C:\Windows\System\Sysrestore\Patch88265ba3.exe
C:\Windows\System\Sysrestore\Patch8826a53das.exe
C:\Windows\System\Sysrestore\Patch8826fasd53ds.exe
C:\Windows\System\Sysrestore\Patch882abd653.exe
C:\Windows\System\Sysrestore\Patch8826nda53.exe
C:\Windows\System\Sysrestore\Patch88wa2653.exe
C:\Windows\System\Sysrestore\Patch88265bad3.exe
C:\Windows\System\Sysrestore\Patch88265bna3.exe
C:\Windows\System\Sysrestore\Patch88265ad3.exe
C:\Windows\System\Sysrestore\Patch88265adsf3.exe
C:\Windows\System\Sysrestore\Patch88sd2653.exe
C:\Windows\System\Sysrestore\Patch882ban653.exe
C:\Windows\System\Sysrestore\Patch8826adwe53.exe
C:\Windows\System\Sysrestore\MTK.exe
C:\Windows\System\Sysrestore\Splinter.exe
C:\Windows\System\Sysrestore\{927982-2356-0042-25}HKEY.exe
C:\Windows\System\Sysrestore\Bin.exe

The following empty directories are also created on the victim machine:

C:\blak
C:\prune
C:\ad
C:\ablak
C:\bhblak
C:\blaadk
C:\blaadadk
C:\blaeak
C:\bla dsak
C:\blabadwtk
C:\blwety32ak
C:\b234lak
C:\bl523ak
C:\blaahr34k
C:\bl34haak
C:\bl346ak
C:\blnaak
C:\bl32hadak
C:\bl2ak
C:\blay23k
C:\blhah3ak
C:\bln33425ak
C:\bwetlak
C:\blasdak
C:\basdlak
C:\blhaak
C:\blahadewk
C:\blahsak
C:\bnclaks
C:\blacvnk
C:\blnaedak
C:\blwerak
C:\blaweeaak

DoS Batch Script

A batch script is dropped into the Windows directory (hardcoded to C:\Windows):

c:\WINDOWS\MSDOS_3.Bat

This script contains repetitive commands designed to use PING.EXE in a denial of service attack targetting the following:

www.norton.com
http://securityreseponse.symantec.com

--

Symptoms

Existence of the files and directories detailed above
Outgoing messages matching the characteristics described above

Method of Infection

This virus is intended to propagate via Microsoft Outlook, masquerading as a Microsoft security patch.

A batch script is dropped which is intended for denial of service purposes.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Threat Detail