Installation
Backdoor:Win32/Lamin.A arrives on your computer via a hyperlink in an Internet relay chat (IRC) message. When you click on the hyperlink the worm is downloaded.
The worm hides itself on your computer by using a .doc file icon to trick you into opening the file and running it.
We have seen this worm with the following file names:
- RESGUARDO INDIVIDUAL DE CAMARA.exe
- smss.exe
When run, the worm creates following files:
These files contain the location of the IRC server, the proxy server and the text for the messages that are sent.
The worm copies itself into the following files:
The worm modifies the following registry entry to ensure that its copy runs at each Windows start:
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: Shell
With data: "%ProgramFiles%\Microsoft Office\OFFICE11\services.exe"
Spreads via...
Spam messages
Backdoor:Win32/Lamin.A connects to the following IRC servers:
It uses the following templates and sends spam messages in Indonesian to everyone on the servers:
- Bagaimana para pengusaha bisa sukses. anda bisa mendapatkan trik-trik para pengusaha dalam waktu singkat dengan hanya membaca buku dapatkan segera bukunya di http://bukugeratis.<removed>.com
- Buku elektronik - Tips & Trik cara cepat mendapatkan pasangan hidup ==> http://bukugeratis.<removed>.com
- cara Merakit komputer ===> http://bukugeratis.<removed>.com
- cara usaha mendapatkan keuntungan besar berlipat ganda & trik pengusaha sukses http://bukugeratis.<removed>.com
- Dapatkan buku Kumpulan trik teknik Hacking jaringan & website. Hacker Book, Cara cepat menguasai komputer di http://bukugeratis.<removed>.com
- Download segera berbagai buku elektronik tips & trik ilmu komputer di >>> http://bukugeratis.<removed>.com
- halaman. segera dapatkan hanya di http://bukugeratis.<removed>.com
- Jom download segera berbagai kumpulan buku geratis Ilmu Komputer dan Bisnis di >> http://bukugeratis.<removed>.com
- Mahu tau cara cepat dan mudah membuat website sendiri? dapatkan segera bukunya di http://bukugeratis.<removed>.com
- Mahu tau tips & trik berbagai posisi bercinta dengan pasangan anda? dapatkan segera Kamasutra Book di http://bukugeratis.<removed>.com>>> http://bukugeratis.<removed>.com
- Mahu tips and trik menarik Adobe Photoshop, dapatkan segera buku elektronik geratis di http://bukugeratis.<removed>.com
- Tips & Trik bagaimana mendapatkan uang di internet ==>http://bukugeratis.<removed>.com
- untuk pemula dan mahir. dapatkan segera hanya di http://bukugeratis.<removed>.com
The purpose of these messages is to spread the worm to other computers. The messages offer electronic books on a number of topics and include a hyperlink to a malicious website.
Payload
Stops Windows security features
The worm tries to stop the following Windows security features:
- Windows Firewall/Internet Connection Sharing (ICS)
- Windows Automatic Updates
- Security Center
Additional information
This worm creates the following registry entries to redirect the Windows software trace preprocessor (WPP):
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
Sets value: LogSessionName
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier
Sets value: Guid
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy
Sets value: LogSessionName
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier
Sets value: Guid
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
Sets value: LogSessionName
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier
Sets value: Guid
With data: "8aefce96-4618-42ff-a057-3536aa78233e"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Sets value: LogSessionName
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Sets value: Guid
With data: "710adbf0-ce88-40b4-a50d-231ada6593f0"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Sets value: LogSessionName
With data: "stdout"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Sets value: Guid
With data: "b0278a28-76f1-4e15-b1df-14b209a12613"
Analysis by Swapnil Bhalode