Content
W32/MoonLight.worm
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 05/08/2006
- Length
- Varies
- Minimum DAT
- 4757 (05/08/2006)
- Updated DAT
- 5715 (08/20/2009)
- Minimum Engine
- 5.1.00
- Description Added
- 05/08/2006
- Description Modified
- 10/17/2006 4:05 PM (PT)
Tab Navigation
Characteristics
W32/MoonLight.worm is a mass mailing worm which attempts to send a copy of itself to email addresses harvested from the computer.
The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.
Installation
Upon execution, it creates copies of iself.
- %WINDIR%\m24627\smss.exe
- %SYSTEMDIR%\(digits).exe
- %WINDIR%\m(digits)\ja(digits).com
- %WINDIR%\sa-(digits).exe
- %WINDIR%\m(digits)\emangeloh.exe
- %WINDIR%\ti(digits).exe
- %SYSTEMDIR%\x(digits)go\z(digits)cie.cmd
- c:\documents and settings\%USER%\templates\o(digits)z\tuxo(digits)z.exe
- c:\documents and settings\%USER%\templates\o(digits)z\service.exe
- c:\documents and settings\%USER%\templates\o(digits)z\winlogon.exe
- c:\documents and settings\%USER%\start menu\programs\startup\sql.cmd
It also drops the following files.
- %WINDIR%\[themoonlight].txt ( 109 bytes )
- %WINDIR%\system\msvbvm60.dll (innocent)
The following registry keys are created load itself at startup.
- hkey_local_machine\system\controlset001\control\safeboot
alternateshell="(digits).exe"
hkey_local_machine\system\controlset002\control\safeboot
alternateshell="(digits).exe" - hkey_current_user\software\microsoft\windows\currentversion\run
t(digits)="%SYSTEMDIR%\(digits).exe" - hkey_local_machine\software\microsoft\windows\currentversion\run
t(digits)="%WINDIR%\sa-(digits).exe" - hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
userinit="%SYSTEMDIR%\userinit.exe , "%WINDIR%\M(digits)\Ja(digits).com"" - hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
shell="explorer.exe, "C:\Documents and settings\%USER%\Templates\O(digits)Z\T(digits).exe"" - hkey_local_machine\software\microsoft\windows\currentversion\explorer\user shell folders
common startup="%SYSTEMDIR%\X(digits)go"
The following registry keys are modified:
- hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
hidden="0"
hidefileext="1"
showsuperhidden="0" - hkey_local_machine\system\currentcontrolset\services\sharedaccess
start="0" - hkey_current_user\software\microsoft\windows\currentversion\explorer\cabinetstate
fullpath="1" - hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden
uncheckedvalue="0" - hkey_current_user\software\microsoft\windows\currentversion\policies\system
disableregistrytools="1" - hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe
debugger="%WINDIR%\notepad.exe" - hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe
debugger="%WINDIR%\notepad.exe"
The following additional registry keys are created:
- hkey_local_machine\software\microsoft\tux\biang
1="(digits)"
2="(digits)"
3="(digits)"
4="(digits)"
5="(digits)" - hkey_local_machine\software\microsoft\tux\path
1="M(digits)"
2="O(digits)Z"
3="X(digits)go" - hkey_current_user\software\vb and vba program settings\untukmu\version
me="52" - hkey_current_user\software\vb and vba program settings\nogods\appactive
service.exe="59-00-6e-00-a6-00-41-00-70-00-7e-01-5a-00-27-00-7b-00-00-00"
winlogon.exe="e4-00-f9-00-33-00-cc-00-fc-00-2b-00-e5-00-b2-00-08-00-00-00"
emangeloh.exe="4b-00-60-00-dc-02-33-00-62-00-90-00-4c-00-19-00-6d-00-00-00"
smss.exe="50-00-65-00-9d-00-38-00-68-00-22-20-51-00-1e-00-72-00-00-00"
Symptoms
The worm deletes registy keys with following strings.
Tok-Cirrhatus
AllMyBallance
MomentEverComes
TryingToSpeak
YourUnintended
YourUnintendes
lexplorer
dkernel
Tok-Cirrhatus-1101
Bron-Spizaetus-cgglmmrv
Bron-Spizaetus
Bron-Spizaetus-cfirltrx
ADie suka kamu
SaTRio ADie X
The worm attemps to download files from the remote site:
http://www.apasajalah.host.sk/[removed]
Method of Infection
P2P Propagation
The worm searches directories with the following strings:
- download
- upload
- share
It copies itself to these directories using the following file names:
TutoriaL HAcking [spaces] .exe
Lagu - Server [spaces].scr
Data DosenKu [spaces] .exe
Titip Folder Jangan DiHapus [spaces].exe
Love Song [spaces].scr
New mp3 BaraT !! [spaces].exe
THe Best Ungu [spaces] .scr
Blink 182 [spaces].exe
Norman virus Control 5.18 [spaces] .exe
Windows Vista setup [spaces] .scr
Gallery [spaces] .scr
RaHasIA [spaces] .exe
Mail Propagation
The virus arrives in an email message as follows:
Subject: (Taken from the following list)
Tolong Aku..
Tolong
hi please see this file
hey Indonesian porn Tiara lestari pic's
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
From: (Taken from the following list)
B4bb1cool
mansonisme
Yoseph2000
12050075
CoolMan
BabbyBear
Jagung-Bakar
MooNLight
Rita
sasUK3
Davis
Titta
Anata
Emily
HellSpawn
Fria
admin
SaZZA
BInaSarana
Shit
JuwitaNingrum
HackersMinds
telkom
astaga
boleh
PLASA
indo
warung
gaul
Body: (Taken from the following list)
free screen saver romance for you.
Please Visit Our Web Site http://www.moonLight.com
please read again what i have written to you
thank's for you register your acount details are attached
Aku Mencari Wanita yang aku Cintai
dan cara menggunakan email mass
ini adalah cara terakhirku ,di lampiran ini terdapat
foto dan data Wanita tsb Thank's
NB:Mohon di teruskan kesahabat anda
aku mahasiswa Bsi Margonda smt 3
yah aku sedang membutuhkan pekerjaan
oh ya aku tahu anda dr milis ilmu komputer
di lampiran ini terdapat curriculum vittae dan foto saya
password lampiran 55132098
For security reasons attached file is password protected. The password is 55132098
Attachements: (Taken from the following list)
curriculum vittae.zip
USE_RAR_To_Extract.ace
jojo
file.bz2
thisfile.gz
TITTA'S Picture.jar
The mailing component harvests address from the local system. The worm avoids certain address, those using the following strings:
microsoft
dengines
sensasi
bront
filewalker
OfficeSystem
www.
virus
suport
MoonMail
yoursite
yourdomain
yyyy
yahoogroup
norman
norton
panda
mcafee
Syman
sophos
Trend
vaksin
novell
Friendster
yahoo
gmail
login
bank
hotmail
Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:
smtp.
mail.
ns1.
mx1.
mail1.
mxs.
relay.
gate.
Floppy Propagation
A copy of the worm is saved to the A: drive.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
W32/MoonLight.worm is a mass mailing worm which attempts to send a copy of itself to email addresses harvested from the computer.
Aliases
- W32.Rontokbro@mm (Symantec)
- W32/Moonlight.A.worm (Panda)
- Win32/MoonLight.B!Worm (CA)
- Win32/NoonLight.B (NOD32)
- Worm.Win32.VB.cz (Kaspersky)
- WORM_RONTOKBR.AB (Trend Micro)
Characteristics
Characteristics -
W32/MoonLight.worm is a mass mailing worm which attempts to send a copy of itself to email addresses harvested from the computer.
The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.
Installation
Upon execution, it creates copies of iself.
- %WINDIR%\m24627\smss.exe
- %SYSTEMDIR%\(digits).exe
- %WINDIR%\m(digits)\ja(digits).com
- %WINDIR%\sa-(digits).exe
- %WINDIR%\m(digits)\emangeloh.exe
- %WINDIR%\ti(digits).exe
- %SYSTEMDIR%\x(digits)go\z(digits)cie.cmd
- c:\documents and settings\%USER%\templates\o(digits)z\tuxo(digits)z.exe
- c:\documents and settings\%USER%\templates\o(digits)z\service.exe
- c:\documents and settings\%USER%\templates\o(digits)z\winlogon.exe
- c:\documents and settings\%USER%\start menu\programs\startup\sql.cmd
It also drops the following files.
- %WINDIR%\[themoonlight].txt ( 109 bytes )
- %WINDIR%\system\msvbvm60.dll (innocent)
The following registry keys are created load itself at startup.
- hkey_local_machine\system\controlset001\control\safeboot
alternateshell="(digits).exe"
hkey_local_machine\system\controlset002\control\safeboot
alternateshell="(digits).exe" - hkey_current_user\software\microsoft\windows\currentversion\run
t(digits)="%SYSTEMDIR%\(digits).exe" - hkey_local_machine\software\microsoft\windows\currentversion\run
t(digits)="%WINDIR%\sa-(digits).exe" - hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
userinit="%SYSTEMDIR%\userinit.exe , "%WINDIR%\M(digits)\Ja(digits).com"" - hkey_local_machine\software\microsoft\windows nt\currentversion\winlogon
shell="explorer.exe, "C:\Documents and settings\%USER%\Templates\O(digits)Z\T(digits).exe"" - hkey_local_machine\software\microsoft\windows\currentversion\explorer\user shell folders
common startup="%SYSTEMDIR%\X(digits)go"
The following registry keys are modified:
- hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
hidden="0"
hidefileext="1"
showsuperhidden="0" - hkey_local_machine\system\currentcontrolset\services\sharedaccess
start="0" - hkey_current_user\software\microsoft\windows\currentversion\explorer\cabinetstate
fullpath="1" - hkey_local_machine\software\microsoft\windows\currentversion\explorer\advanced\folder\superhidden
uncheckedvalue="0" - hkey_current_user\software\microsoft\windows\currentversion\policies\system
disableregistrytools="1" - hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\msconfig.exe
debugger="%WINDIR%\notepad.exe" - hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\regedit.exe
debugger="%WINDIR%\notepad.exe"
The following additional registry keys are created:
- hkey_local_machine\software\microsoft\tux\biang
1="(digits)"
2="(digits)"
3="(digits)"
4="(digits)"
5="(digits)" - hkey_local_machine\software\microsoft\tux\path
1="M(digits)"
2="O(digits)Z"
3="X(digits)go" - hkey_current_user\software\vb and vba program settings\untukmu\version
me="52" - hkey_current_user\software\vb and vba program settings\nogods\appactive
service.exe="59-00-6e-00-a6-00-41-00-70-00-7e-01-5a-00-27-00-7b-00-00-00"
winlogon.exe="e4-00-f9-00-33-00-cc-00-fc-00-2b-00-e5-00-b2-00-08-00-00-00"
emangeloh.exe="4b-00-60-00-dc-02-33-00-62-00-90-00-4c-00-19-00-6d-00-00-00"
smss.exe="50-00-65-00-9d-00-38-00-68-00-22-20-51-00-1e-00-72-00-00-00"
Symptoms
Symptoms -
The worm deletes registy keys with following strings.
Tok-Cirrhatus
AllMyBallance
MomentEverComes
TryingToSpeak
YourUnintended
YourUnintendes
lexplorer
dkernel
Tok-Cirrhatus-1101
Bron-Spizaetus-cgglmmrv
Bron-Spizaetus
Bron-Spizaetus-cfirltrx
ADie suka kamu
SaTRio ADie X
The worm attemps to download files from the remote site:
http://www.apasajalah.host.sk/[removed]
Method of Infection
Method of Infection -
P2P Propagation
The worm searches directories with the following strings:
- download
- upload
- share
It copies itself to these directories using the following file names:
TutoriaL HAcking [spaces] .exe
Lagu - Server [spaces].scr
Data DosenKu [spaces] .exe
Titip Folder Jangan DiHapus [spaces].exe
Love Song [spaces].scr
New mp3 BaraT !! [spaces].exe
THe Best Ungu [spaces] .scr
Blink 182 [spaces].exe
Norman virus Control 5.18 [spaces] .exe
Windows Vista setup [spaces] .scr
Gallery [spaces] .scr
RaHasIA [spaces] .exe
Mail Propagation
The virus arrives in an email message as follows:
Subject: (Taken from the following list)
Tolong Aku..
Tolong
hi please see this file
hey Indonesian porn Tiara lestari pic's
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
From: (Taken from the following list)
B4bb1cool
mansonisme
Yoseph2000
12050075
CoolMan
BabbyBear
Jagung-Bakar
MooNLight
Rita
sasUK3
Davis
Titta
Anata
Emily
HellSpawn
Fria
admin
SaZZA
BInaSarana
Shit
JuwitaNingrum
HackersMinds
telkom
astaga
boleh
PLASA
indo
warung
gaul
Body: (Taken from the following list)
free screen saver romance for you.
Please Visit Our Web Site http://www.moonLight.com
please read again what i have written to you
thank's for you register your acount details are attached
Aku Mencari Wanita yang aku Cintai
dan cara menggunakan email mass
ini adalah cara terakhirku ,di lampiran ini terdapat
foto dan data Wanita tsb Thank's
NB:Mohon di teruskan kesahabat anda
aku mahasiswa Bsi Margonda smt 3
yah aku sedang membutuhkan pekerjaan
oh ya aku tahu anda dr milis ilmu komputer
di lampiran ini terdapat curriculum vittae dan foto saya
password lampiran 55132098
For security reasons attached file is password protected. The password is 55132098
Attachements: (Taken from the following list)
curriculum vittae.zip
USE_RAR_To_Extract.ace
jojo
file.bz2
thisfile.gz
TITTA'S Picture.jar
The mailing component harvests address from the local system. The worm avoids certain address, those using the following strings:
microsoft
dengines
sensasi
bront
filewalker
OfficeSystem
www.
virus
suport
MoonMail
yoursite
yourdomain
yyyy
yahoogroup
norman
norton
panda
mcafee
Syman
sophos
Trend
vaksin
novell
Friendster
yahoo
gmail
login
bank
hotmail
Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:
smtp.
mail.
ns1.
mx1.
mail1.
mxs.
relay.
gate.
Floppy Propagation
A copy of the worm is saved to the A: drive.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
