Backdoor:Win32/Lamin.A

Installation

Backdoor:Win32/Lamin.A arrives on your computer via a hyperlink in an Internet relay chat (IRC) message. When you click on the hyperlink the worm is downloaded.

The worm hides itself on your computer by using a .doc file icon to trick you into opening the file and running it.

We have seen this worm with the following file names:

• RESGUARDO INDIVIDUAL DE CAMARA.exe
• smss.exe

When run, the worm creates following files:

• %ProgramFiles%\Microsoft Office\Office11\control.ini
• %ProgramFiles%\Microsoft Office\Office11\drvics32.dll
• %ProgramFiles%\Microsoft Office\Office11\hjwgsd.dll
• %ProgramFiles%\Microsoft Office\Office11\jwiegh.dll
• %ProgramFiles%\Microsoft Office\Office11\pub60sp.mrc
• %ProgramFiles%\Microsoft Office\Office11\remote.ini
• %ProgramFiles%\Microsoft Office\Office11\ruimsbbe.dll
• %ProgramFiles%\Microsoft Office\Office11\smss.exe
• %ProgramFiles%\Microsoft Office\Office11\yofc.dll

These files contain the location of the IRC server, the proxy server and the text for the messages that are sent.

The worm copies itself into the following files:

• %ProgramFiles%\Microsoft Office\Office11\winword.exe
• %ProgramFiles%\Microsoft Office\Office11\services.exe
• <startup folder>\adobe gamma loader.com

The worm modifies the following registry entry to ensure that its copy runs at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: Shell
With data: "%ProgramFiles%\Microsoft Office\OFFICE11\services.exe"

Spreads via...

Spam messages

Backdoor:Win32/Lamin.A connects to the following IRC servers:

• <any>.va.us.dal.net

It uses the following templates and sends spam messages in Indonesian to everyone on the servers:

• Bagaimana para pengusaha bisa sukses. anda bisa mendapatkan trik-trik para pengusaha dalam waktu singkat dengan hanya membaca buku dapatkan segera bukunya di http://bukugeratis.<removed>.com
• Buku elektronik - Tips & Trik cara cepat mendapatkan pasangan hidup ==> http://bukugeratis.<removed>.com
• cara Merakit komputer ===> http://bukugeratis.<removed>.com
• cara usaha mendapatkan keuntungan besar berlipat ganda & trik pengusaha sukses http://bukugeratis.<removed>.com
• Dapatkan buku Kumpulan trik teknik Hacking jaringan & website. Hacker Book, Cara cepat menguasai komputer di http://bukugeratis.<removed>.com
• Download segera berbagai buku elektronik tips & trik ilmu komputer di >>> http://bukugeratis.<removed>.com
• halaman. segera dapatkan hanya di http://bukugeratis.<removed>.com
• Jom download segera berbagai kumpulan buku geratis Ilmu Komputer dan Bisnis di >> http://bukugeratis.<removed>.com
• Mahu tau cara cepat dan mudah membuat website sendiri? dapatkan segera bukunya di http://bukugeratis.<removed>.com
• Mahu tau tips & trik berbagai posisi bercinta dengan pasangan anda? dapatkan segera Kamasutra Book di http://bukugeratis.<removed>.com>>> http://bukugeratis.<removed>.com
• Mahu tips and trik menarik Adobe Photoshop, dapatkan segera buku elektronik geratis di http://bukugeratis.<removed>.com
• Tips & Trik bagaimana mendapatkan uang di internet ==>http://bukugeratis.<removed>.com
• untuk pemula dan mahir. dapatkan segera hanya di http://bukugeratis.<removed>.com

The purpose of these messages is to spread the worm to other computers. The messages offer electronic books on a number of topics and include a hyperlink to a malicious website.

Payload

Stops Windows security features

The worm tries to stop the following Windows security features:

• Windows Firewall/Internet Connection Sharing (ICS)
• Windows Automatic Updates
• Security Center

Additional information

This worm creates the following registry entries to redirect the Windows software trace preprocessor (WPP):

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
Sets value: LogSessionName
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier
Sets value: Guid
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy
Sets value: LogSessionName
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier
Sets value: Guid
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
Sets value: LogSessionName
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier
Sets value: Guid
With data: "8aefce96-4618-42ff-a057-3536aa78233e" 

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Sets value: LogSessionName
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Sets value: Guid
With data: "710adbf0-ce88-40b4-a50d-231ada6593f0"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Sets value: LogSessionName
With data: "stdout"

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Sets value: Guid
With data: "b0278a28-76f1-4e15-b1df-14b209a12613"

Analysis by  Swapnil Bhalode