Content

W32/Lamud.worm

Type
Virus
SubType
Internet Worm
Discovery Date
06/26/2003
Length
529336 Bytes
Minimum DAT
4274 (06/30/2003)
Updated DAT
4274 (06/30/2003)
Minimum Engine
5.1.00
Description Added
06/27/2003
Description Modified
06/27/2003 8:48 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is new worm spreading on open network shares. It tries to connect to computers within the local network and copies itself into startup folders.

After execution it opens a Explorer window and displays the %Windir% folder. A few seconds later it displays pornographic pictures, which are set as wallpapers on the desktop. It disables access to administrative tools like 'REGEDIT.EXE' and the configuration dialog of the desktop settings.


Share Propagation:

The worm uses the logon credentials of the current user to connect to machine within the local network. It searches for open shares to copy itself as:

  • DOWNLOADS.EXE
  • GAMES.EXE
  • IMAGES.EXE
  • MUSIC.EXE
  • MY DOCUMENTS.EXE
  • NEW.EXE
  • PICTURES.EXE
  • PORNO.EXE
  • VIDEO.EXE
  • XXX.EXE

    • It also copies itself to root of each accessible share and to the following folders, using one of the filenames mentioned as above:

  • My Documents\     
  • Windows\
  • Windows\Desktop\
  • Windows\Start Menu\Programs\Startup\
  • Win98\
  • Win98\Desktop\
  • Win98\Start Menu\Programs\Startup\
  • Win98SE\
  • Win98SE\Desktop\
  • Win98SE\Start Menu\Programs\Startup\
  • Win95\
  • Win95\Desktop\
  • Win95\Start Menu\Programs\Startup\
  • WinNT\
  • Win2k\
  • Win2000\
  • WinXP\
  • Distr\
  • Distry\
  • Distri\
  • Distryb\
  • Distrib\
  • Documents and Settings\All Users\Desktop\
  • Documents and Settings\All Users\Start Menu\Programs\Startup\
  • Documents and Settings\All Users\Shared documents\
  • Documents and Settings\All Users\Favorites\
  • Documents and Settings\Default User\Desktop\
  • Documents and Settings\Default User\Start Menu\Programs\Startup\
  • Documents and Settings\Default User\Shared documents\
  • Documents and Settings\Default User\Favorites\
  • Inetpub\ftproot\
    • The file has a Folder icon to fool unsuspecting users into believing it is truly a folder. Example:
    Note:The files are 'only' dropped on the victims machine - they do not get automatically executed. If the worm was able to copy itself into the Startup folders, then the next restart would activiate the worm.

    When the worm is active, it drops three files into the %WINDIR% folder :
  • davcsync.exe (25.088 bytes)
  • lmdll.dll (11.264 bytes)
  • msinst26.exe (529.336 bytes)
    • and creates the folowing Registry keys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "Asynchronous" ata: 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "DLLName" Data: lmdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "Impersonate" Data: 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "Logon" Data: LoadLMDService
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "Startup" Data: LoadLMDService
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Perfomance Monitor" Data: davcsync.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced\Folder\Hidden\SHOWALL
    "CheckedValue" Data: 00, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    System "DisableRegistryTools" Data: 01, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System "NoDispCPL" Data: 01, 00, 00, 00
  • HKEY_CURRENT_USER\Control Panel\Desktop "LMDWallpaper"
    Data: %WINDIR%\ACD Wallpaper.bmp
    • It also drops a bitmap file called 'ACD Wallpaper.bmp' in the %WINDIR% folder. This picture is exchanged every few minutes.

    Symptoms

  • Existance of registry keys and files mentioned as above.
  • Unexpected network traffic (copying of the worm to remote shares)

    • Method of Infection

    Once an infected file is double clicked the worm will activate and spread through open shares.

    Removal

    Use specified Engine and DATs for removal of this worm. The DATs include removal of the

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lmdservice
    key and subvalues as well as the removal of the
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "Perfomance Monitor"
    key.

    Additionaly you need to remove the droped 'ACD Wallpaper.bmp' file and to restore the original desktop background picture.

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    This is new worm spreading on open network shares. It tries to connect to computers within the local network and copies itself into startup folders.

    After execution it opens a Explorer window and displays the %Windir% folder. A few seconds later it displays pornographic pictures, which are set as wallpapers on the desktop. It disables access to administrative tools like 'REGEDIT.EXE' and the configuration dialog of the desktop settings.


    Share Propagation:

    The worm uses the logon credentials of the current user to connect to machine within the local network. It searches for open shares to copy itself as:

  • DOWNLOADS.EXE
  • GAMES.EXE
  • IMAGES.EXE
  • MUSIC.EXE
  • MY DOCUMENTS.EXE
  • NEW.EXE
  • PICTURES.EXE
  • PORNO.EXE
  • VIDEO.EXE
  • XXX.EXE

    • It also copies itself to root of each accessible share and to the following folders, using one of the filenames mentioned as above:

  • My Documents\     
  • Windows\
  • Windows\Desktop\
  • Windows\Start Menu\Programs\Startup\
  • Win98\
  • Win98\Desktop\
  • Win98\Start Menu\Programs\Startup\
  • Win98SE\
  • Win98SE\Desktop\
  • Win98SE\Start Menu\Programs\Startup\
  • Win95\
  • Win95\Desktop\
  • Win95\Start Menu\Programs\Startup\
  • WinNT\
  • Win2k\
  • Win2000\
  • WinXP\
  • Distr\
  • Distry\
  • Distri\
  • Distryb\
  • Distrib\
  • Documents and Settings\All Users\Desktop\
  • Documents and Settings\All Users\Start Menu\Programs\Startup\
  • Documents and Settings\All Users\Shared documents\
  • Documents and Settings\All Users\Favorites\
  • Documents and Settings\Default User\Desktop\
  • Documents and Settings\Default User\Start Menu\Programs\Startup\
  • Documents and Settings\Default User\Shared documents\
  • Documents and Settings\Default User\Favorites\
  • Inetpub\ftproot\
    • The file has a Folder icon to fool unsuspecting users into believing it is truly a folder. Example:
    Note:The files are 'only' dropped on the victims machine - they do not get automatically executed. If the worm was able to copy itself into the Startup folders, then the next restart would activiate the worm.

    When the worm is active, it drops three files into the %WINDIR% folder :
  • davcsync.exe (25.088 bytes)
  • lmdll.dll (11.264 bytes)
  • msinst26.exe (529.336 bytes)
    • and creates the folowing Registry keys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "Asynchronous" ata: 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "DLLName" Data: lmdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "Impersonate" Data: 01, 00, 00, 00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "Logon" Data: LoadLMDService
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
    Winlogon\Notify\lmdservice "Startup" Data: LoadLMDService
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run "Perfomance Monitor" Data: davcsync.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced\Folder\Hidden\SHOWALL
    "CheckedValue" Data: 00, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    System "DisableRegistryTools" Data: 01, 00, 00, 00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System "NoDispCPL" Data: 01, 00, 00, 00
  • HKEY_CURRENT_USER\Control Panel\Desktop "LMDWallpaper"
    Data: %WINDIR%\ACD Wallpaper.bmp
    • It also drops a bitmap file called 'ACD Wallpaper.bmp' in the %WINDIR% folder. This picture is exchanged every few minutes.

    Symptoms

    Symptoms -

  • Existance of registry keys and files mentioned as above.
  • Unexpected network traffic (copying of the worm to remote shares)

    • Method of Infection

    Method of Infection -

    Once an infected file is double clicked the worm will activate and spread through open shares.

    Removal -

    Removal -

    Use specified Engine and DATs for removal of this worm. The DATs include removal of the

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lmdservice
    key and subvalues as well as the removal of the
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "Perfomance Monitor"
    key.

    Additionaly you need to remove the droped 'ACD Wallpaper.bmp' file and to restore the original desktop background picture.

    Variants

    Variants -

      N/A