据分析,此蠕虫包含有大量的被加密的文本字行,会把自身以随机名字复制到目录C:\Recycler 或 C:\Recycled中,故取名"垃圾桶"或"回收站"病毒。它会改变注册表中的HKCU\exefile\shell\open\command,这样蠕虫对所有的被执行文件执行时,都可以自动执行。如果它是从MSTASKMON.EXE中被执行的,则将更改win.ini中的自动执行项。以下是发作时的截图:
该病毒有两个版本,以下分别介绍:
I-Worm.Lentin , aka Yaha技术特征:
通过被感染邮件的附件传播的蠕虫病毒,是一Windows PE EXE执行文件,大约21K(用UPX打包了,未被打包的尺寸大约72K),用Microsoft Visual C++写成。被感染邮件含有附件“valentin.scr”(蠕虫文件),其标题和邮件正文从两种方案中选择:
标题 1:
Melt the Heart of your Valentine with this beautiful Screen saver
正文1:
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message. *********************************************************** Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
第二种方案看起来如同是第一种方案的转发
标题 1:
Fw: Melt the Heart of your Valentine with this beautiful Screen saver
正文1:
Hi
Check this screen saver
Happy Valentines day
See u
----- Original Message -----
From: "Screen Saver"
To:
Sent: Friday, February 11, 2002 8:38 PM
Subject: Melt the Heart of your Valentine with this beautiful Screen saver
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.[未结束][iduba_page]***********************************************************
Melt the Heart of your loved ones with these beautiful Screen saver from www.screensaverin.com
* To remove yourself from this mailing list, point your browser to:
http://screensaverin.com/remove?freescreensaver
* Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
OR...
* Reply to this message with the word "remove" in the subjt line.
This message was sent to address %EmailAddress%
X-PMG-Recipient:
%EmailAddress% ——电子邮件地址
蠕虫仅在使用者自行激活被感染文件时才发作。此后它会把自己安装在系统中并开始自己的传播过程。
安装
在安装的过程中,蠕虫把自己用SMDM.EXE 和MSSCRA.EXE名复制到C:\RECYCLED,并把第一个文件注册到系统注册表中的HKCR\exefile\shell\open\command c:\recycled\msmdm.exe %1 %* 此后显示几行“Ur My Valentine..”,并随机的改变工作桌面窗口的大小。
在有些情况下,蠕虫还会显示出错信息
Config
No Configuration is availabile Now
Enjoy !!!
传播邮件
蠕虫从WAB, MSN, .NET Messenger中读取地址,同时寻找*.HT文件,扫描它们,选出其中为电子邮件地址的行。所有的地址被保存在"screendback.dll" 和 "www.dll",这两个文件是蠕虫在Windows目录中建立的。在传播被感染的邮件时,使用直接连接上的SMTP服务器。
其他版本
Lentin.g , aka Yaha.e的技术特征
大约27K(用UPX打包)。由于其末尾包含有随机数据,所以文件长度不定。蠕虫包含有大量的被加密的文本字行。
安装
蠕虫把自身以随机的名字复制到目录C:\Recycler 或是 C:\Recycled中。然后改变注册表中的
HKCU\exefile\shell\open\command,这样蠕虫对所有的被执行文件都可以开始执行。如果蠕虫是从MSTASKMON.EXE被执行的,那么将更改win.ini中的自动执行项。
传播邮件
被传播的邮件标题含有下边中的一行或是带有“Fw:”(也可以是不带)的几个组合:
searching for true Love
you care ur friend
Who is ur Best Friend
make ur friend happy
True Love
Dont wait for long time[未结束][iduba_page]Free Screen saver
Friendship Screen saver
Looking for Friendship
Need a friend?
Find a good friend
Best Friends
I am For u
Life for enjoyment
Nothink to worryy
Ur My Best Friend
Say ‘I Like You‘ To ur friend
Easy Way to revel ur love
Wowwwwwwwwwww check it
Send This to everybody u like
Enjoy Romantic life
Let‘s Dance and forget pains
war Againest Loneliness
How sweet this Screen saver
Let‘s Laugh
One Way to Love
Learn How To Love
Are you looking for Love
love speaks from the heart
Enjoy friendship
Shake it baby
Shake ur friends
One Hackers Love
Origin of Friendship
The world of lovers
The world of Friendship
Check ur friends Circle
Friendship
how are you
U r the person?
U realy Want this
Romantic
humour
NewWonderfool
excite
Cool
charming
Idiot
Nice
Bullsh*t
One
Funny Great
LoveGangs
Shaking
powful
Joke
Interesting
Screensaver
Friendship
Love
relations
stuff
to ur friends
to ur lovers
for you
to see
to check
to watch
to enjoy
to share
:-)
!
!!
文本可能含有:
Check the attachment
See the attachement
Enjoy the attachement
More details attached
Hi Check the Attachement .. See u
Hi Check the Attachement ..
Attached one Gift for u..
wOW CHECK THIS
Then there can follow a fake undeliverable message report or a fake screensaver subscription message. In case the worm sends a fake bounced message, it looks like that:
This message was created automatically by mail delivery software (Exim).
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: %EmailAddress%
For further assistance, please contact %EmailAddress% If you do so, please include this problem report. You can delete your own text from the message returned below.
Copy of your message, including all the headers is attached
Then there goes an EML file attachment with random name that contains the worm‘s sample and usually IFrame exploit to make the attachment run automatically on unpatched e-mail clients. [未结束][iduba_page]In case the worm spreads itself with a fake screensaver subscription message, it looks like that:
This e-mail is never sent unsolicited. If you need to unsubscribe, follow the instructions at the bottom of the message.
***********************************************************
Enjoy this friendship Screen Saver and Check ur friends circle...
Send this screensaver from <сгенерированный URL> to everyone you consider a FRIEND, even if it means sending it back to the person who sent it to you. If it comes back to you, then you‘ll know you have a circle of friends.
* To remove yourself from this mailing list, point your browser to: <сгенерированный URL> * Enter your email address (%EmailAddress%) in the field provided and click "Unsubscribe".
* Reply to this message with the word "REMOVE" in the subject line.
This message was sent to address %EmailAddress% X-PMG-Recipient: %EmailAddress%
%EmailAddress% ——电子邮件地址