Description
Win32.HLLM.Lorraine is a mass-mailing worm which affects computers under Windows 95/98/Me/NT/2000/XP operating systems. The program module of the worm is written in Borland Delphi and is UPX-packed, its packed size is 180736 bytes. The worm mass propagates via e-mail, ICQ and file sharing networks such as Edonkey2000, Gnucleus, Grokster, KaZaA, KaZaA Lite, Limewire, Morpheus. .
Launching
To secure automatic execution at every Windows startup the worm adds the value
\" Lorraine = \"%WinSys\\Lorraine.exe\"
to the registry entry
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\
Spreading
Propagation via e-mail
The worm mass propagates via e-mail to all the addressees found in the Contact list of MSN Messenger. The mail message infected with Win32.HLLM.Lorrainemay look as follows:
The subjects and the message bodies, composed in Spanish, are chosen from the lists stored in the worm’s body and may look, for example,
From: lorena@hotmail.com Subject: Te Amo Message: Averigua por que..... Attachment: porqueteamo.pif Subject: RE: Test de idiots Message: Compruebe si usted es un verdadero idiota. Attachment: test-idiota.pif Subject: Kamasutra Message: Kamasutra el arte del sexo Attachment: kamasutra.pif From: support@hotmail.com Subject: Su cuenta de hotmail sera eliminada Message: Estimado usuario de hotmail,debido al trafico en el servidor y a las fallas
que se han venido presentando en este presente mes,hemos de informarle que su
cuenta será removida de nuestra base de datos en menos de 24 horas, le rogamos por
favor lea el adjunto con los pasos para evitar que esto suceda. Atentamente el Equipo
tecnico de Hotmail. Attachment: hotmail.pif From: Anti-Spam@campaña.com Subject: SPAM La proxima gran epidemia Message: El Spam esta avanzando constantemente y a logrado saturar nuestros
correos electronicostal vez sea el principio de una epidemia mundial de esta peste que
nos tiene cansados de la publicidad. Attachment: No-Spam.exe
The attacments may bear one of the following names
amigos.pif amigototote.pif amor-por-ti.pif antiwinlogon.pif antrox.scr BigBrother.pif bugmsn.pif chistesgraficos.pif chupamelo.pif comotegustan.pif CracksPPZ.pif cristina-aguilera.pif defaced-madonna-site.pif eggbrother.exe EICAX.COM existeee.pif financiamiento.pif GEDZAC.PIF grancarnal.exe grande.pif hackeahotmail.pif historial.pif hotmail.pif kamasutra.pif lacosha@hotmail.com LatinCard.pif linuxandmicrosoft.pif Lorenaaaa.pif Madonna_sEXY.pif MariaVirgen.pif Matrix-Trailer.pif mujeres.pif Musica.pif No-Spam.exe nuevovirus.txt .pif Oradores.pif osamabinhuevoback.exe parejaideal.txt.pif petardas.pif porqueteamo.pif projimo.pif relacionsexual.pif resetarios.pif SARS.pif seguridad_en_hotmail.pif serhacker.pif Shakira.pif solo-a-ti.pif Spamno.pif teamo.exe te-pido.scr test-idiota.pif testpasion.pif thalialoca.pif TutorialVBSvirus.pif WindowsMediaPlayerBug.pif www.mfernanda.com www.vsantiviru.com www.zonaviru.com zorrotttas.pifPropagation via file - sharing networks
The worm is capable of spreading through peer-to-peer networks such as Edonkey2000, Gnucleus, Grokster, KaZaA, KaZaA Lite, Limewire, Morpheus. for which it copies itself to the following shareable directories of these networks
\\edonkey2000\\incoming\\ \\gnucleus\\downloads\\ \\Grokster\\My Grokster\\ \\icq\\shared files\\ \\KaZaA\\My Shared Folder\\ \\kazaa lite\\my shared folders\\ \\limewire\\shared\\ \\morpheus\\my shared folder\\under the following names followed by double extension gif.exe
Sexy Bikini .gif .exe Sexo en la playa con .gif .exe las pelotas de .gif .exe Desnuda en la playa .gif .exe Nude Pic .gif .exe Sexy Beach .gif .exe Galilea Montijo.gif .exe Shakira.gif .exe Britney Spears.gif .exe Lorena.gif .exe Halle berry.gif .exe Cameron dias.gif .exe Pink.gif .exe Thalia.gif .exe Paulina Rubio.gif .exe Francini.gif .exe Brenda.gif .exe Celine Dion.gif .exe Kylie Minogue.gif .exe Laura Pausini.gif .exe Lili Brillanti.gif .exe Angelica Vale.gif .exe Alejandra Guzman.gif .exeor in the form of files with single .exe extension
Ad-aware Adobe Acrobat Reader (32-bit) AOL Instant Messenger (AIM) Biromsoft WebCam Copernic Agent crack all versions Cracked Delphi 6 Diet Kaza DirectDVD DivX Video Bundle Download Accelerator Plus FireWorks 4 FIreWorks MX Full version Global DiVX Player Grokster ICQ Lite ICQ Pro 2003a beta iMesh JetAudio Basic Kaspersky Antivirus Kazaa Download Accelerator Kazaa Media Desktop KeyGen Matrix Movie McAfee Antivirus Microsoft Internet Explorer Microsoft Office XP Microsoft Windows 2003 Microsoft Windows Media Player Morpheus msn hack MSN Messenger (Windows NT/2000) Nero Burning ROM NetPumper Network Cable e ADSL Speed Norton Antivirus Office 2003 Panda Antivirus PerAntivirus Pop-Up Stopper QuickTime RealOne Free Player Registry Mechanic SnagIt SolSuite 2003: Solitaire Card Games Suite Spybot - Search & Destroy Trillian Virtual Girl Sofía Visual Studio Net Winamp WinMX WinRAR WinZip WS_FTP LE (32-bit) XoloX Ultra ZoneAlarm
Action
Being run the worm drops to the infected system several files
In July the worm displays false error messages.
