McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Lorraine

• W32.Mapson.Worm (Symantec)

Characteristics

This worm attempts to spreads via email, icq, and the following peer-to-peer file sharing applications:

• eDonkey2000
• Gnuclues
• Grokster
• KaZaa
• KaZaa Lite
• Limewire
• Morpheus

It may be received as an email message attachment with one of the following attachment names:

• amigos.pif
• amigototote.pif
• amor-por-ti.pif
• BigBrother.pif
• bugmsn.pif
• chistesgraficos.pif
• chupamelo.pif
• comotegustan.pif
• CracksPPZ.pif
• cristina-aguilera.pif
• defaced-madonna-site.pif
• eggbrother.exe
• EICAX.COM
• existeee.pif
• financiamiento.pif
• friends.pif
• GEDZAC.PIF
• grancarnal.exe
• grande.pif
• hackeahotmail.pif
• historial.pif
• hotmail.pif
• kamasutra.pif
• LatinCard.pif
• linuxandmicrosoft.pif
• Lorenaaaa.pif
• Madonna_sEXY.pif
• mamalo.pif
• MariaVirgen.pif
• Matrix-Trailer.pif
• Música.pif
• No-Spam.exe
• nuevovirus.txt       .pif
• Oradores.pif
• osamabinhuevoback.exe
• parejaideal.txt.pif
• petardas.pif
• petardas.pif
• porqueteamo.pif
• projimo.pif
• relacionsexual.pif
• resetarios.pif
• SARS.pif
• seguridad_en_hotmail.pif
• serhacker.pif
• Shakira.pif
• sindolor.pif
• solo-a-ti.pif
• Spamno.pif
• teamo.exe
• te-pido.scr
• test-idiota.pif
• testpasion.pif
• thalialoca.pif
• TutorialVBSvirus.pif
• WindowsMediaPlayerBug.pif
• www.mfernanda.com
• www.vsantiviru.com
• www.zonaviru.com
• zorrotttas.pif

Peer-To-Peer propagation filenames include the following names, followed by .gif.exe:

• Alejandra Guzman
• Angelica Vale
• Brenda
• Britney Spears
• Cameron dias
• Celine Dion
• Desnuda en la playa
• Francini
• Galilea Montijo
• Halle berry
• Kylie Minogue
• las pelotas de
• Laura Pausini
• Lili Brillanti
• Lorena
• Nude Pic
• Paulina Rubio
• Pink
• Sexo en la playa con
• Sexy Beach
• Shakira
• Thalia

As well as the following names, followed by .exe:

• Ad-aware
• Adobe Acrobat Reader (32-bit)
• AOL Instant Messenger (AIM)
• Biromsoft WebCam
• Copernic Agent
• crack all versions
• Cracked
• Delphi 6
• Diet Kaza
• DirectDVD
• DivX Video Bundle
• Download Accelerator Plus
• FireWorks 4
• FIreWorks MX
• Full version
• Global DiVX Player
• Grokster
• ICQ Lite
• ICQ Pro 2003a beta
• iMesh
• JetAudio Basic
• Kaspersky Antivirus
• Kazaa Download Accelerator
• Kazaa Media Desktop
• KeyGen
• Matrix Movie
• McAfee Antivirus
• Microsoft Internet Explorer
• Microsoft Office XP
• Microsoft Windows 2003
• Microsoft Windows Media Player
• Morpheus
• msn hack
• MSN Messenger (Windows NT/2000)
• Nero Burning ROM
• NetPumper
• Network Cable e ADSL Speed
• Norton Antivirus
• Office 2003
• Panda Antivirus
• PerAntivirus
• Pop-Up Stopper
• QuickTime
• RealOne Free Player
• Registry Mechanic
• SnagIt
• SolSuite 2003: Solitaire Card Games Suite
• Spybot - Search & Destroy
• Trillian
• Virtual Girl Sofía
• Visual Studio Net
• Winamp
• WinMX
• WinRAR
• WinZip
• WS_FTP LE (32-bit)
• XoloX Ultra
• ZoneAlarm

Symptoms

- Presence of the aforementioned filenames in the WINDOWS SYSTEM directory (%SysDir%)
- The worm may also create the files c:\Lorraine.vxd, Lorraine.exe and a regeistry run key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "SYSTEMSTART" = "Lorraine.exe"

- This worm creates an HTML file on the root of the C: drive named lorraine.hta. When accessed the following window is displayed:

Method of Infection

The worm harvests email addresses from the MSN Messenger.NET contact list. It sends itself to found recipients via HOTMAIL.COM. It copies itself to shared folders:

• \KaZaA\My Shared Folder
• \edonkey2000\incoming
• \gnucleus\downloads
• \icq\shared files
• \kazaa lite\my shared folders\v
• \limewire\shared
• \morpheus\my shared folder
• \Grokster\My Grokster

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Lorraine

• W32.Mapson.Worm (Symantec)

Characteristics

Characteristics -

This worm attempts to spreads via email, icq, and the following peer-to-peer file sharing applications:

• eDonkey2000
• Gnuclues
• Grokster
• KaZaa
• KaZaa Lite
• Limewire
• Morpheus

It may be received as an email message attachment with one of the following attachment names:

• amigos.pif
• amigototote.pif
• amor-por-ti.pif
• BigBrother.pif
• bugmsn.pif
• chistesgraficos.pif
• chupamelo.pif
• comotegustan.pif
• CracksPPZ.pif
• cristina-aguilera.pif
• defaced-madonna-site.pif
• eggbrother.exe
• EICAX.COM
• existeee.pif
• financiamiento.pif
• friends.pif
• GEDZAC.PIF
• grancarnal.exe
• grande.pif
• hackeahotmail.pif
• historial.pif
• hotmail.pif
• kamasutra.pif
• LatinCard.pif
• linuxandmicrosoft.pif
• Lorenaaaa.pif
• Madonna_sEXY.pif
• mamalo.pif
• MariaVirgen.pif
• Matrix-Trailer.pif
• Música.pif
• No-Spam.exe
• nuevovirus.txt       .pif
• Oradores.pif
• osamabinhuevoback.exe
• parejaideal.txt.pif
• petardas.pif
• petardas.pif
• porqueteamo.pif
• projimo.pif
• relacionsexual.pif
• resetarios.pif
• SARS.pif
• seguridad_en_hotmail.pif
• serhacker.pif
• Shakira.pif
• sindolor.pif
• solo-a-ti.pif
• Spamno.pif
• teamo.exe
• te-pido.scr
• test-idiota.pif
• testpasion.pif
• thalialoca.pif
• TutorialVBSvirus.pif
• WindowsMediaPlayerBug.pif
• www.mfernanda.com
• www.vsantiviru.com
• www.zonaviru.com
• zorrotttas.pif

Peer-To-Peer propagation filenames include the following names, followed by .gif.exe:

• Alejandra Guzman
• Angelica Vale
• Brenda
• Britney Spears
• Cameron dias
• Celine Dion
• Desnuda en la playa
• Francini
• Galilea Montijo
• Halle berry
• Kylie Minogue
• las pelotas de
• Laura Pausini
• Lili Brillanti
• Lorena
• Nude Pic
• Paulina Rubio
• Pink
• Sexo en la playa con
• Sexy Beach
• Shakira
• Thalia

As well as the following names, followed by .exe:

• Ad-aware
• Adobe Acrobat Reader (32-bit)
• AOL Instant Messenger (AIM)
• Biromsoft WebCam
• Copernic Agent
• crack all versions
• Cracked
• Delphi 6
• Diet Kaza
• DirectDVD
• DivX Video Bundle
• Download Accelerator Plus
• FireWorks 4
• FIreWorks MX
• Full version
• Global DiVX Player
• Grokster
• ICQ Lite
• ICQ Pro 2003a beta
• iMesh
• JetAudio Basic
• Kaspersky Antivirus
• Kazaa Download Accelerator
• Kazaa Media Desktop
• KeyGen
• Matrix Movie
• McAfee Antivirus
• Microsoft Internet Explorer
• Microsoft Office XP
• Microsoft Windows 2003
• Microsoft Windows Media Player
• Morpheus
• msn hack
• MSN Messenger (Windows NT/2000)
• Nero Burning ROM
• NetPumper
• Network Cable e ADSL Speed
• Norton Antivirus
• Office 2003
• Panda Antivirus
• PerAntivirus
• Pop-Up Stopper
• QuickTime
• RealOne Free Player
• Registry Mechanic
• SnagIt
• SolSuite 2003: Solitaire Card Games Suite
• Spybot - Search & Destroy
• Trillian
• Virtual Girl Sofía
• Visual Studio Net
• Winamp
• WinMX
• WinRAR
• WinZip
• WS_FTP LE (32-bit)
• XoloX Ultra
• ZoneAlarm

Symptoms

Symptoms -

- Presence of the aforementioned filenames in the WINDOWS SYSTEM directory (%SysDir%)
- The worm may also create the files c:\Lorraine.vxd, Lorraine.exe and a regeistry run key:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
  Run "SYSTEMSTART" = "Lorraine.exe"

- This worm creates an HTML file on the root of the C: drive named lorraine.hta. When accessed the following window is displayed:

Method of Infection

Method of Infection -

The worm harvests email addresses from the MSN Messenger.NET contact list. It sends itself to found recipients via HOTMAIL.COM. It copies itself to shared folders:

• \KaZaA\My Shared Folder
• \edonkey2000\incoming
• \gnucleus\downloads
• \icq\shared files
• \kazaa lite\my shared folders\v
• \limewire\shared
• \morpheus\my shared folder
• \Grokster\My Grokster

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A