Worm:Win32/Lamin.A is a worm that uses installed Internet chat clients to send messages to contacts containing a hyperlink to a copy of the worm. When executed, the worm installs itself, stops services and modifies Windows settings. The installed backdoor is identified as Backdoor:Win32/Lamin.A.
Installation
Worm:Win32/Lamin.A may be installed when visiting a malicious hyperlink received in an instant message. The message arrives from contacts using an infected computer. The file icon of the downloaded malware may resemble a Microsoft Word or Adobe document as an attempt to trick the user into 'opening' the worm copy. In the wild, this worm may be distributed as varying file names including "Adobe Gamma Loader.com", "plugin.exe" and "package.exe" among others.
When run, it drops configuration files and copies of itself as the following:
%ProgramFiles%\Microsoft Office\Office11\control.ini
%ProgramFiles%\Microsoft Office\Office11\remote.ini
%ProgramFiles%\Microsoft Office\Office11\drvics32.dll
%ProgramFiles%\Microsoft Office\Office11\hjwgsd.dll
%ProgramFiles%\Microsoft Office\Office11\jwiegh.dll
%ProgramFiles%\Microsoft Office\Office11\pub60sp.mrc
%ProgramFiles%\Microsoft Office\Office11\ruimsbbe.dll
%ProgramFiles%\Microsoft Office\Office11\yofc.dll
%ProgramFiles%\Microsoft Office\Office11\smss.exe
Spreads Via…
Link within chat messages
Worm:Win32/Lamin.A may send messages to contacts of chat applications, such as "Googletalk", that contains a hyperlink to a predefined website hosting a copy of the worm. Users that receive the message and click the link could download and execute the worm copy further spreading the worm.
Payload
Terminates Windows services
Worm:Win32/Lamin.A attempts to stop certain Windows services by executing "NET.EXE" to stop the services by the following names:
- Windows Firewall/Internet Connection Sharing (ICS)
- Automatic Updates
- Security Center
Modifies Windows settings
Worm:Win32/Lamin.A creates additional registry values and related data that may redirect the Windows software trace preprocessor (WPP) that traces driver operation to direct trace output to the console instead of an event trace log.
Adds value: "LogSessionName"
With data: "stdout"
Within subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
Addss value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"
Within subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier
Adds value: "LogSessionName"
With data: "stdout"
Within subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy
Addss value: "Guid"
With data: "5f31090b-d990-4e91-b16d-46121d0255aa"
Within subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier
Adds value: "LogSessionName"
With data: "stdout"
Within subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
Adds value: "Guid"
With data: "8aefce96-4618-42ff-a057-3536aa78233e"
Within subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier
Adds value: "LogSessionName"
With data: "stdout"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh
Adds value: "Guid"
With data: "710adbf0-ce88-40b4-a50d-231ada6593f0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr
Adds value: "LogSessionName"
With data: "stdout"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent
Adds value: "Guid"
With data: "b0278a28-76f1-4e15-b1df-14b209a12613"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier
Analysis by Subratam Biswas
