W32/MoonLight.worm

W32/MoonLight.worm is a mass mailing worm which attempts to send a copy of  itself to email addresses harvested from the computer.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

Installation

Upon execution, it creates copies of iself.

• %WINDIR%\m24627\smss.exe
• %SYSTEMDIR%\(digits).exe
• %WINDIR%\m(digits)\ja(digits).com
• %WINDIR%\sa-(digits).exe
• %WINDIR%\m(digits)\emangeloh.exe
• %WINDIR%\ti(digits).exe
• %SYSTEMDIR%\x(digits)go\z(digits)cie.cmd
• c:\documents and settings\%USER%\templates\o(digits)z\tuxo(digits)z.exe
• c:\documents and settings\%USER%\templates\o(digits)z\service.exe
• c:\documents and settings\%USER%\templates\o(digits)z\winlogon.exe 
• c:\documents and settings\%USER%\start menu\programs\startup\sql.cmd

It also drops the following files.

• %WINDIR%\[themoonlight].txt ( 109 bytes )
• %WINDIR%\system\msvbvm60.dll (innocent)

The following registry keys are created load itself at startup.

• hkey_local_machine\system\controlset001\control\safeboot
  alternateshell="(digits).exe"
  hkey_local_machine\system\controlset002\control\safeboot
  alternateshell="(digits).exe"
• hkey_current_user\software\microsoft\windows\currentversion\run
  t(digits)="%SYSTEMDIR%\(digits).exe"
• hkey_local_machine\software\microsoft\windows\currentversion\run
  t(digits)="%WINDIR%\sa-(digits).exe"
• hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
  userinit="%SYSTEMDIR%\userinit.exe , "%WINDIR%\M(digits)\Ja(digits).com""
• hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
  shell="explorer.exe, "C:\Documents and settings\%USER%\Templates\O(digits)Z\T(digits).exe""
• hkey_local_machine\software\microsoft\windows\currentversion\explorer\user shell folders
  common startup="%SYSTEMDIR%\X(digits)go"

The following registry keys are modified:

• hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
  hidden="0"
  hidefileext="1"
  showsuperhidden="0"
• hkey_local_machine\system\currentcontrolset\services\sharedaccess
  start="0"
• hkey_current_user\software\microsoft\windows\currentversion\explorer\cabinetstate
  fullpath="1"
• hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden
  uncheckedvalue="0"
• hkey_current_user\software\microsoft\windows\currentversion\policies\system
  disableregistrytools="1"
• hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe
  debugger="%WINDIR%\notepad.exe"
• hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe
  debugger="%WINDIR%\notepad.exe"

The following additional registry keys are created:

• hkey_local_machine\software\microsoft\tux\biang
  1="(digits)"
  2="(digits)"
  3="(digits)"
  4="(digits)"
  5="(digits)"
• hkey_local_machine\software\microsoft\tux\path
  1="M(digits)"
  2="O(digits)Z"
  3="X(digits)go"
• hkey_current_user\software\vb and vba program settings\untukmu\version
  me="52"
• hkey_current_user\software\vb and vba program settings\nogods\appactive
  service.exe="59-00-6e-00-a6-00-41-00-70-00-7e-01-5a-00-27-00-7b-00-00-00"
  winlogon.exe="e4-00-f9-00-33-00-cc-00-fc-00-2b-00-e5-00-b2-00-08-00-00-00"
  emangeloh.exe="4b-00-60-00-dc-02-33-00-62-00-90-00-4c-00-19-00-6d-00-00-00"
  smss.exe="50-00-65-00-9d-00-38-00-68-00-22-20-51-00-1e-00-72-00-00-00"

The worm deletes registy keys with following strings.

Tok-Cirrhatus
AllMyBallance
MomentEverComes
TryingToSpeak
YourUnintended
YourUnintendes
lexplorer
dkernel
Tok-Cirrhatus-1101
Bron-Spizaetus-cgglmmrv
Bron-Spizaetus
Bron-Spizaetus-cfirltrx
ADie suka kamu
SaTRio ADie X

The worm attemps to download files from the remote site:

http://www.apasajalah.host.sk/[removed]

P2P Propagation

The worm searches directories with the following strings:

• download
• upload
• share

It copies itself to these directories using the following file names:

TutoriaL HAcking [spaces] .exe
Lagu - Server [spaces].scr
Data DosenKu [spaces] .exe
Titip Folder Jangan DiHapus [spaces].exe
Love Song [spaces].scr
New mp3 BaraT !!  [spaces].exe
THe Best Ungu [spaces] .scr
Blink 182 [spaces].exe
Norman virus Control 5.18  [spaces] .exe
Windows Vista setup [spaces] .scr
Gallery [spaces]  .scr
RaHasIA  [spaces] .exe

Mail Propagation

The virus arrives in an email message as follows:

Subject: (Taken from the following list)

Tolong Aku..
Tolong
hi please see this file
hey Indonesian porn Tiara lestari pic's
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs

From: (Taken from the following list)

B4bb1cool
mansonisme
Yoseph2000
12050075
CoolMan
BabbyBear
Jagung-Bakar
MooNLight
Rita
sasUK3
Davis
Titta
Anata
Emily
HellSpawn
Fria
admin
SaZZA
BInaSarana
Shit
JuwitaNingrum
HackersMinds
telkom
astaga
boleh
PLASA
indo
warung
gaul

Body: (Taken from the following list)

free screen saver romance for you.
Please Visit Our Web Site http://www.moonLight.com
please read again what i have written to you
thank's for you register your acount details are attached
Aku Mencari Wanita yang aku Cintai
dan cara menggunakan email mass
ini adalah cara terakhirku ,di lampiran ini terdapat
foto dan data Wanita tsb Thank's
NB:Mohon di teruskan kesahabat anda
aku mahasiswa Bsi Margonda smt 3
yah aku sedang membutuhkan pekerjaan
oh ya aku tahu anda dr milis ilmu komputer
di lampiran ini terdapat curriculum vittae dan foto saya
password lampiran 55132098
For security reasons attached file is password protected. The password is 55132098

Attachements: (Taken from the following list)
curriculum vittae.zip
USE_RAR_To_Extract.ace
jojo
file.bz2
thisfile.gz
TITTA'S Picture.jar

The mailing component harvests address from the local system. The worm avoids certain address, those using the following strings:

microsoft
dengines
sensasi
bront
filewalker
OfficeSystem
www.
virus
suport
MoonMail
yoursite
yourdomain
yyyy
yahoogroup
norman
norton
panda
mcafee
Syman
sophos
Trend
vaksin
novell
Friendster
yahoo
gmail
login
bank
hotmail

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine.  The worm guesses the recipient email server, prepending the target domain name with the following strings:

smtp.
mail.
ns1.
mx1.
mail1.
mxs.
relay.
gate.

Floppy Propagation

A copy of the worm is saved to the A: drive.

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

• Insert the Windows XP CD into the CD-ROM drive and restart the computer.
• When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
• Select the Windows installation that is compromised and provide the administrator password.
• Issue 'fixmbr' command to restore the Master Boot Record
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

• Insert the Windows CD into the CD-ROM drive and restart the computer.
• Click on "Repair Your Computer".
• When the System Recovery Options dialog comes up, choose the Command Prompt.
• Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
• Follow onscreen instructions.
• Reset and remove the CD from CD-ROM drive.