McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Ticton (AVP)

• i-worm.WinSux

• W32.Lofni.Worm (Symantec)

• W32/Ticton-A (Sophos)

• Win32.Noala.B (CA)

• WORM_ARRET.A (Trend)

Characteristics

This mass-mailing worm harvests addresses from a number of sources, spreads over mapped network drives and accessible Windows shares, and can insert propagation code into existing HTML documents to spread through IIS.  The worm is written by a Spanish-speaking author.  It may arrive as an email attachment in a message written in Spanish.  Many combinations are possible, such as:

From:

• Panda Antivirus (OXYGEN@pandasoftware.es)
• Ministerio de Ciencia y Tecnología (info@mcyt.es)

Subject:

• 2 el fichero que me pediste
• a las buenas
• Acelerador de descargas ultra pequeño!!
• FW:AVISO IMPORTANTE: un nuevo virus llamado LSSICE
• parece en internet
• FW:CAMPAÑA de información sobre la LSSICE
• Fw:Te reenvío esta presentación que me ha llegado, ya me contarás
• importante ACTUALIZACIÓN PARA WINDOWS
• Información sobre la LSSICE
• Información sobre la LSSICE y sus consecuencias
• Ministerio de Ciencia y Tecnología: NUEVO VIRUS
• Nuestras libertades en internet en peligro
• Nueva utilidad para protegerte de hop.b
• Nuevas formas de control
• NUEVO VIRUS muy PELIGROSO : Resumen de la ley de internet
• palabrerias

Attachment:

• downloadme.exe
• FixWin32.0er45-hop.b.exe
• informacion.exe
• ley lssi.pdf.exe
• ley.txt.exe
• resumen.txt.exe
• texto.txt.exe
• www.mcyt.es.exe
• www.putalssi.es.exe
• xscreensaver.scr

The email message is crafted to exploit an old Incorrect MIME type vulnerability (MS01-020 ) such that the attachment will automatically execute on unprotected systems.  When the attachment is executed, a Window is displayed, showing the following text:

-------------------------------------------------
NO A LA LSSI

Esta es una llamada de socorro desesperada, porque el 12 de octubre de 2002... [omitted]

¡NO A LA LSSI!
-------------------------------------------------

The worm may copy itself to the Windows directory as wucrtupd.exe and create a registry run key to load itself at system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "CriticalUpdate" = C:\WINDOWS\wucrtupd.exe

The worm harvests addresses by querying many searching WWW.GOOGLE.COM and parsing the results.  Addresses are also harvested from the MSN Messenger Contact List.

The worm may attempt to copy itself to the following folder on remotely accessible systems.

• \Winnt\Profiles\All users\Start menu\Programs\Startup
• \Winnt\Profiles\Administrator\Start menu\Programs\Startup
• \Winnt\Profiles\Default User\Start menu\Programs\Startup
• \Winnt\Profiles\Administrador\Start menu\Programs\Startup
• \Winnt\Profiles\Administrador\Menu Inicio\Programas\Inicio

The following filenames are associated with this threat:

• BASTA_YA_de_vulnerar_nuestros_derechos.txt.exe
• downloadit.exe
• fotos.del.ultimo.viaje.html.exe
• FUERA_la_LSSI.es_INNECESARIA.html.exe
• ley.pdf.exe
• ley_de_internet_y_el_comercio_electronico.txt.exe
• ley_lssi.pdf.exe
• NO_a_la_CENSURA_informativa.txt.exe
• NO_A_LA_LSSICE_otra_internet_es_posible.txt.exe
• NO_a_la_MANIPULACION_informativa.html.exe
• NO_al_control_informativo.html.exe
• no_queremos_vivir_asi.html.exe
• NO_queremos_vuestra_ley_DISCRIMINATORIA.doc.exe
• NO_queremos_vuestra_ley_INCONSTITUCIONAL.html.exe
• nuevo_virus_en_internet-LEEME.txt.exe
• por_una_sociedad_mas_justa.html.exe
• presentacion.exe
• que_no_jueguen_con_tus_libertades.txt.exe
• README.txt.exe
• salvador_de_pantallas.scr
• tarifa_plana_DE_VERDAD_ya.html.exe
• texto_integro_de_la_lssice.txt.exe
• vuelve_la_INQUISICION.html.exe
• www.lssi.es.exe
• www.mcyt.com.exe
• XXX.jpg.exe

The worm may attempt to modify the following files to include an IFRAME that loads the worm upon visiting a web page:

• c:\inetpub\wwwroot\index.htm
• c:\inetpub\wwwroot\default.htm
• d:\inetpub\wwwroot\index.htm
• d:\inetpub\wwwroot\default.htm
• e:\inetpub\wwwroot\index.htm
• e:\inetpub\wwwroot\default.htm
  

Symptoms

The worm creates three text files in the WINDOWS directory:

• i-worm_info.txt (209 bytes)
• lssice_info.txt (7,536 bytes)
• no_a_la_LSSICE.txt (79 bytes)

Method of Infection

This worm spreads through email, accessible network shares, and infectious web pages.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• I-Worm.Ticton (AVP)

• i-worm.WinSux

• W32.Lofni.Worm (Symantec)

• W32/Ticton-A (Sophos)

• Win32.Noala.B (CA)

• WORM_ARRET.A (Trend)

Characteristics

Characteristics -

This mass-mailing worm harvests addresses from a number of sources, spreads over mapped network drives and accessible Windows shares, and can insert propagation code into existing HTML documents to spread through IIS.  The worm is written by a Spanish-speaking author.  It may arrive as an email attachment in a message written in Spanish.  Many combinations are possible, such as:

From:

• Panda Antivirus (OXYGEN@pandasoftware.es)
• Ministerio de Ciencia y Tecnología (info@mcyt.es)

Subject:

• 2 el fichero que me pediste
• a las buenas
• Acelerador de descargas ultra pequeño!!
• FW:AVISO IMPORTANTE: un nuevo virus llamado LSSICE
• parece en internet
• FW:CAMPAÑA de información sobre la LSSICE
• Fw:Te reenvío esta presentación que me ha llegado, ya me contarás
• importante ACTUALIZACIÓN PARA WINDOWS
• Información sobre la LSSICE
• Información sobre la LSSICE y sus consecuencias
• Ministerio de Ciencia y Tecnología: NUEVO VIRUS
• Nuestras libertades en internet en peligro
• Nueva utilidad para protegerte de hop.b
• Nuevas formas de control
• NUEVO VIRUS muy PELIGROSO : Resumen de la ley de internet
• palabrerias

Attachment:

• downloadme.exe
• FixWin32.0er45-hop.b.exe
• informacion.exe
• ley lssi.pdf.exe
• ley.txt.exe
• resumen.txt.exe
• texto.txt.exe
• www.mcyt.es.exe
• www.putalssi.es.exe
• xscreensaver.scr

The email message is crafted to exploit an old Incorrect MIME type vulnerability (MS01-020 ) such that the attachment will automatically execute on unprotected systems.  When the attachment is executed, a Window is displayed, showing the following text:

-------------------------------------------------
NO A LA LSSI

Esta es una llamada de socorro desesperada, porque el 12 de octubre de 2002... [omitted]

¡NO A LA LSSI!
-------------------------------------------------

The worm may copy itself to the Windows directory as wucrtupd.exe and create a registry run key to load itself at system startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
  Run "CriticalUpdate" = C:\WINDOWS\wucrtupd.exe

The worm harvests addresses by querying many searching WWW.GOOGLE.COM and parsing the results.  Addresses are also harvested from the MSN Messenger Contact List.

The worm may attempt to copy itself to the following folder on remotely accessible systems.

• \Winnt\Profiles\All users\Start menu\Programs\Startup
• \Winnt\Profiles\Administrator\Start menu\Programs\Startup
• \Winnt\Profiles\Default User\Start menu\Programs\Startup
• \Winnt\Profiles\Administrador\Start menu\Programs\Startup
• \Winnt\Profiles\Administrador\Menu Inicio\Programas\Inicio

The following filenames are associated with this threat:

• BASTA_YA_de_vulnerar_nuestros_derechos.txt.exe
• downloadit.exe
• fotos.del.ultimo.viaje.html.exe
• FUERA_la_LSSI.es_INNECESARIA.html.exe
• ley.pdf.exe
• ley_de_internet_y_el_comercio_electronico.txt.exe
• ley_lssi.pdf.exe
• NO_a_la_CENSURA_informativa.txt.exe
• NO_A_LA_LSSICE_otra_internet_es_posible.txt.exe
• NO_a_la_MANIPULACION_informativa.html.exe
• NO_al_control_informativo.html.exe
• no_queremos_vivir_asi.html.exe
• NO_queremos_vuestra_ley_DISCRIMINATORIA.doc.exe
• NO_queremos_vuestra_ley_INCONSTITUCIONAL.html.exe
• nuevo_virus_en_internet-LEEME.txt.exe
• por_una_sociedad_mas_justa.html.exe
• presentacion.exe
• que_no_jueguen_con_tus_libertades.txt.exe
• README.txt.exe
• salvador_de_pantallas.scr
• tarifa_plana_DE_VERDAD_ya.html.exe
• texto_integro_de_la_lssice.txt.exe
• vuelve_la_INQUISICION.html.exe
• www.lssi.es.exe
• www.mcyt.com.exe
• XXX.jpg.exe

The worm may attempt to modify the following files to include an IFRAME that loads the worm upon visiting a web page:

• c:\inetpub\wwwroot\index.htm
• c:\inetpub\wwwroot\default.htm
• d:\inetpub\wwwroot\index.htm
• d:\inetpub\wwwroot\default.htm
• e:\inetpub\wwwroot\index.htm
• e:\inetpub\wwwroot\default.htm
  

Symptoms

Symptoms -

The worm creates three text files in the WINDOWS directory:

• i-worm_info.txt (209 bytes)
• lssice_info.txt (7,536 bytes)
• no_a_la_LSSICE.txt (79 bytes)

Method of Infection

Method of Infection -

This worm spreads through email, accessible network shares, and infectious web pages.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A