Content
W32/Lanet@MM
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 03/31/2003
- Length
- 8,224
- Minimum DAT
- 4255 (04/02/2003)
- Updated DAT
- 4255 (04/02/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 03/31/2003
- Description Modified
- 04/14/2003 1:51 PM (PT)
Tab Navigation
Characteristics
This is a mass-mailing worm. It sends SMTP mail using its own SMTP engine. It can also propagate via KaZaa peer-to-peer network. The worm was detected with DATs previous to 4255 as "virus or variant New Worm" with heuristic scanning enabled.
The worm arrives in an email message with the following information:
Subject: Hi, I sent you an eCard from BlueMountain.com
Body: To view your eCard, open the attachment. ...
Attachment: BlueMountaineCard.pif
The following is a screen capture of such email:
The attachment BlueMountaineCard.pif is the worm itself.
When run, the worm copies itself to the Windows system directory as wuauqmr.exe. It creates directory c:\windows\system\jdfghtrg and copies itself as the following files:
- ACDSee 5.5.exe
- Ad-aware 6.5.exe
- Age of Empires 2 crack.exe
- aim cracker.exe steal usernames.exe
- aim password cracker aol cracker.exe
- Animated Screen 7.0b.exe
- Anno 1503_crack.exe
- AOL Instant Messenger.exe
- aol password cracker.exe
- AquaNox2 Crack.exe
- Audiograbber 2.05.exe
- AVP_Crack.exe
- BabeFest 2003 ScreenSaver 1.5.exe
- Babylon 3.50b reg_crack.exe
- Battlefield1942_bloodpatch.exe
- Battlefield1942_keygen.exe
- BitDefender.KeyGen.exe
- Borland KeyGens.exe
- Business Card Designer Plus 7.9.exe
- C&C Generals_crack.exe
- C&C Renegade_crack.exe
- Clone CD 5.0.0.3 (crack).exe
- Clone CD 5.0.0.3.exe
- Coffee Cup Free HTML 7.0b.exe
- Cool Edit Pro v2.55.exe
- Crack McAfee 7.exe
- Crack Norton 3000.exe
- Diablo 2 Crack.exe
- DirectDVD 5.0.exe
- DirectX Buster (all versions).exe
- DirectX InfoTool.exe
- DivX 5.03 Codecs.exe
- divx pro.exe
- DivX Video Bundle 6.5.exe
- Download accelarator.exe
- Download Accelerator Plus 6.1.exe
- driver.exe
- DVD Copy Plus v5.0.exe
- DVD Region-Free 2.3.exe
- FIFA2003 crack.exe
- Final Fantasy VII XP Patch 1.5.exe
- Flash MX crack (trial).exe
- FlashGet 1.5.exe
- FreeRAM XP Pro 1.9.exe
- GetRight 5.0a.exe
- Global DiVX Player 3.0.exe
- Gothic 2 licence.exe
- GTA 3 Crack.exe
- GTA 3 patch (no cd).exe
- GTA 3 Serial.exe
- gta3.exe
- Guitar Chords Library 5.5.exe
- HackNTTools.zip .exe
- Hitman_2_no_cd_crack.exe
- Hot Babes XXX Screen Saver.exe
- hotgirls.exe
- how to hack.exe
- how to use a shell.pif
- ICQ Lite (new).exe
- ICQ Pro 2003a.exe
- ICQ Pro 2003b (new beta).exe
- iMesh 3.6.exe
- iMesh 3.7b (beta).exe
- IrfanView 4.5.exe
- KaZaA Hack 2.5.0.exe
- KaZaA Lite (New).exe
- KaZaA Speedup 3.6.exe
- Links 2003 Golf game (crack).exe
- Living Waterfalls 1.3.exe
- Mafia_crack.exe
- Matrix Screensaver 1.5.src
- MediaPlayer Update.exe
- mIRC 6.40.exe
- MP3 encoder_decoderV1.8.exe
- mp3Trim PRO 2.5.exe
- MSN Messenger 5.2.exe
- NBA2003_crack.exe
- Need 4 Speed crack.exe
- Nero Burning ROM crack.exe
- Netfast 1.8.exe
- Network Cable e ADSL Speed 2.0.5.exe
- Neverwinter_Nights_licence.exe
- NHL 2003 crack.exe
- Nimo CodecPack (new) 8.0.exe
- Nod32Crack.exe
- PaintShop Pro 7 Crack_By_Force.exe
- PalTalk 5.01b.exe
- PANDA.AVers.lusers.exe
- PANDA.lusers.exe
- play station emulator crack.exe
- play station emulator.exe
- Popup Defender 6.5.exe
- Pop-Up Stopper 3.5.exe
- porn.exe
- QuickTime_Pro_Crack.exe
- Serials 2003 v.8.0 Full.exe
- SM.exe
- SmartFTP 2.0.0.exe
- SmartRipper v2.7.exe
- SMS_sender.exe
- SophosCrackAllVersion.exe
- Space Invaders 1978.exe
- Splinter_Cell_Crack.exe
- Steinberg_WaveLab_5_crack.exe
- Trillian 0.85 (free).exe
- TweakAll 3.8.exe
- Unreal2_bloodpatch.exe
- Unreal2_crack.exe
- UT2003_bloodpatch.exe
- UT2003_keygen.exe
- UT2003_no cd (crack).exe
- UT2003_patch.exe
- virtua girl - adriana.pif virtua girl - bailey short skirt.pif
- Virtua Girl (Full).exe
- warcraft 3 crack.exe 100 free essays school.pif
- warcraft 3 serials.pif
- WarCraft_3_crack.exe
- Winamp 3.8.exe
- WindowBlinds 4.0.exe
- WinOnCD 4 PE_crack.exe
- WinZip 9.0b.exe
- worldbook.exe
- Yahoo Messenger 6.0.exe
- Zelda Classic 2.00.exe
- ZoneAlarm Pro KeyGen.exe
- zoneallarm_pro_crack.exe
It adds the following registry key in order to run itself at Windows startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"NvCpTDaemon" = wuauqmr.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
"NvCpTDaemon" = wuauqmr.exe
- HKEY_CURRENT_USER\Software\KAZAA\LocalContent
"Dir0" = C:\WINDOWS\SYSTEM\jdfghtrg\
The worm connects to a list of SMTP servers to send mails. The recipient names appear to be generated. The sender names are common names such as Kaylee, Sandra, Sandy Michel, Peter, etc.
Symptoms
Existence of the files and registry keys mentioned above.
Method of Infection
The worm propagates via email and KaZaa peer-to-peer network.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32/BlueECard@MM
Characteristics
Characteristics -
This is a mass-mailing worm. It sends SMTP mail using its own SMTP engine. It can also propagate via KaZaa peer-to-peer network. The worm was detected with DATs previous to 4255 as "virus or variant New Worm" with heuristic scanning enabled.
The worm arrives in an email message with the following information:
Subject: Hi, I sent you an eCard from BlueMountain.com
Body: To view your eCard, open the attachment. ...
Attachment: BlueMountaineCard.pif
The following is a screen capture of such email:
The attachment BlueMountaineCard.pif is the worm itself.
When run, the worm copies itself to the Windows system directory as wuauqmr.exe. It creates directory c:\windows\system\jdfghtrg and copies itself as the following files:
- ACDSee 5.5.exe
- Ad-aware 6.5.exe
- Age of Empires 2 crack.exe
- aim cracker.exe steal usernames.exe
- aim password cracker aol cracker.exe
- Animated Screen 7.0b.exe
- Anno 1503_crack.exe
- AOL Instant Messenger.exe
- aol password cracker.exe
- AquaNox2 Crack.exe
- Audiograbber 2.05.exe
- AVP_Crack.exe
- BabeFest 2003 ScreenSaver 1.5.exe
- Babylon 3.50b reg_crack.exe
- Battlefield1942_bloodpatch.exe
- Battlefield1942_keygen.exe
- BitDefender.KeyGen.exe
- Borland KeyGens.exe
- Business Card Designer Plus 7.9.exe
- C&C Generals_crack.exe
- C&C Renegade_crack.exe
- Clone CD 5.0.0.3 (crack).exe
- Clone CD 5.0.0.3.exe
- Coffee Cup Free HTML 7.0b.exe
- Cool Edit Pro v2.55.exe
- Crack McAfee 7.exe
- Crack Norton 3000.exe
- Diablo 2 Crack.exe
- DirectDVD 5.0.exe
- DirectX Buster (all versions).exe
- DirectX InfoTool.exe
- DivX 5.03 Codecs.exe
- divx pro.exe
- DivX Video Bundle 6.5.exe
- Download accelarator.exe
- Download Accelerator Plus 6.1.exe
- driver.exe
- DVD Copy Plus v5.0.exe
- DVD Region-Free 2.3.exe
- FIFA2003 crack.exe
- Final Fantasy VII XP Patch 1.5.exe
- Flash MX crack (trial).exe
- FlashGet 1.5.exe
- FreeRAM XP Pro 1.9.exe
- GetRight 5.0a.exe
- Global DiVX Player 3.0.exe
- Gothic 2 licence.exe
- GTA 3 Crack.exe
- GTA 3 patch (no cd).exe
- GTA 3 Serial.exe
- gta3.exe
- Guitar Chords Library 5.5.exe
- HackNTTools.zip .exe
- Hitman_2_no_cd_crack.exe
- Hot Babes XXX Screen Saver.exe
- hotgirls.exe
- how to hack.exe
- how to use a shell.pif
- ICQ Lite (new).exe
- ICQ Pro 2003a.exe
- ICQ Pro 2003b (new beta).exe
- iMesh 3.6.exe
- iMesh 3.7b (beta).exe
- IrfanView 4.5.exe
- KaZaA Hack 2.5.0.exe
- KaZaA Lite (New).exe
- KaZaA Speedup 3.6.exe
- Links 2003 Golf game (crack).exe
- Living Waterfalls 1.3.exe
- Mafia_crack.exe
- Matrix Screensaver 1.5.src
- MediaPlayer Update.exe
- mIRC 6.40.exe
- MP3 encoder_decoderV1.8.exe
- mp3Trim PRO 2.5.exe
- MSN Messenger 5.2.exe
- NBA2003_crack.exe
- Need 4 Speed crack.exe
- Nero Burning ROM crack.exe
- Netfast 1.8.exe
- Network Cable e ADSL Speed 2.0.5.exe
- Neverwinter_Nights_licence.exe
- NHL 2003 crack.exe
- Nimo CodecPack (new) 8.0.exe
- Nod32Crack.exe
- PaintShop Pro 7 Crack_By_Force.exe
- PalTalk 5.01b.exe
- PANDA.AVers.lusers.exe
- PANDA.lusers.exe
- play station emulator crack.exe
- play station emulator.exe
- Popup Defender 6.5.exe
- Pop-Up Stopper 3.5.exe
- porn.exe
- QuickTime_Pro_Crack.exe
- Serials 2003 v.8.0 Full.exe
- SM.exe
- SmartFTP 2.0.0.exe
- SmartRipper v2.7.exe
- SMS_sender.exe
- SophosCrackAllVersion.exe
- Space Invaders 1978.exe
- Splinter_Cell_Crack.exe
- Steinberg_WaveLab_5_crack.exe
- Trillian 0.85 (free).exe
- TweakAll 3.8.exe
- Unreal2_bloodpatch.exe
- Unreal2_crack.exe
- UT2003_bloodpatch.exe
- UT2003_keygen.exe
- UT2003_no cd (crack).exe
- UT2003_patch.exe
- virtua girl - adriana.pif virtua girl - bailey short skirt.pif
- Virtua Girl (Full).exe
- warcraft 3 crack.exe 100 free essays school.pif
- warcraft 3 serials.pif
- WarCraft_3_crack.exe
- Winamp 3.8.exe
- WindowBlinds 4.0.exe
- WinOnCD 4 PE_crack.exe
- WinZip 9.0b.exe
- worldbook.exe
- Yahoo Messenger 6.0.exe
- Zelda Classic 2.00.exe
- ZoneAlarm Pro KeyGen.exe
- zoneallarm_pro_crack.exe
It adds the following registry key in order to run itself at Windows startup:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"NvCpTDaemon" = wuauqmr.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
"NvCpTDaemon" = wuauqmr.exe
- HKEY_CURRENT_USER\Software\KAZAA\LocalContent
"Dir0" = C:\WINDOWS\SYSTEM\jdfghtrg\
The worm connects to a list of SMTP servers to send mails. The recipient names appear to be generated. The sender names are common names such as Kaylee, Sandra, Sandy Michel, Peter, etc.
Symptoms
Symptoms -
Existence of the files and registry keys mentioned above.
Method of Infection
Method of Infection -
The worm propagates via email and KaZaa peer-to-peer network.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
