Worm:Win32/Lightmoon.G is a mass-mailing worm that sends itself to email addresses found on the infected computer. It also attempts to propagate via P2P applications.
Installation
Worm:Win32/Lightmoon.G usually arrives in the system as an attachment file to spammed email messages. It uses a folder icon to mislead users that it is not an executable file.
It creates several copies of itself:
%windir%\<random string>.exe
%windir%\<random string>\<random string>.com
%windir%\<random string>\smss.exe
%windir%\<random string>\system.exe
%windir%\lsass.exe
<system folder>\<random string>.exe
<system folder>\<random string>\<random string>.cmd
<system folder>\moonlight.scr
<startup folder>\adodb.cmd
%USERPROFILE%\Templates\<random string>\<random string>.exe
%USERPROFILE%\Templates\<random string>\service.exe
%USERPROFILE%\Templates\<random string>\winlogon.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Note that smss.exe, lsass.exe, and winlogon.exe are also file names used by legitimate Windows files, and are usually located in the Windows system folder.
It also drops copies of itself to "My Documents" folder using the folder names as its filename, for example:
%USERPROFILE%\my documents\My Music\My Music.exe
%USERPROFILE%\my documents\My Pictures\My Pictures.exe
%USERPROFILE%\my documents\My Received Files\My Received Files.exe
Worm:Win32/Lightmoon.G modifies the system registry so that it automatically runs every time Windows starts:
Adds value: "<random string>"
With data: "<system folder>\<random string>.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "<random string>"
With data: "%windir%\<random string>.exe"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It modifies the following regsitry entries to enable automatic execution when a user logs on even in Safe Mode.
Modifies value: "Shell"
With data: "explorer.exe, "%USERPROFILE%\Templates\<random string>\<random string>.exe""
Old data: "explorer.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "AlternateShell"
With data: "<random string>.exe"
Old data: "cmd.exe"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
It also creates the following registry entries as part of its installation routine:
Adds value: "me"
With data: "4"
To subkey: HKCU\Software\VB and VBA Program Settings\titta\version
Adds value: "me"
With data: "4"
To subkey: HKCU\Software\VB and VBA Program Settings\untukmu2\version
It also drops the following component files:
<system folder>\crtsys.dll - a log file
%windir%\MoonLight.txt - a text file
Spreads Via...
Mass mailing
Worm:Win32/Lightmoon.G spreads by sending a copy of itself attached to an email to addresses found in the infected computer.
It searches for email addresses from files in the system that have the following extensions:
asp
asp
eml
htm
html
js
php
pl
rtf
spx
txt
It avoids sending copies to email addresses, which contain the following strings:
Syman
Trend
avira
mcafee
norman
norton
novell
panda
security
sophos
vaksin
virus
Lightmoon.G then searches for the Default Mail Account, SMTP server, and SMTP email address by querying the following registry keys:
HKCU\Software\Microsoft\Internet Account Manager
HKLM\Software\Microsoft\Internet Account Manager\Accounts
It uses its own SMTP engine in order to spread via e-mail. It tries to construct the SMTP servers to be used by appending the harvested e-mail address domain names to the following strings:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns1.
ns1.
relay.
smtp.
Email Construction
The email sent out by Worm:Win32/Lightmoon.G has the following details:
Agnes
Ami
Anata
Cicilia
Claudia
CoolMan
Davis
Emily
Fransisca
Fransiska
Fria
HellSpawn
Hilda
Ida
Joe
Julia
JuwitaNingrum
Lanelitta
Lia
Linda
Nadine
Nana
Natalia
Riri
Rita
SaZZA
Susi
Titta
Titta
Valentina
Vivi
dmin
sasuke
sisilia
-
Subject field (any of the following):
Agnes Monica pic's
Cek This
F<removed>cking With Me :D
Hot ...
Japannes Porn
hello
hey Indonesian porn
hi
miss Indonesian
please read again what i have written to you
xxx
-
Email body (any of the following):
Aku Mencari Wanita yang aku Cintai
NB:Mohon di teruskan kesahabat anda
aku mahasiswa BSI Margonda smt 4
dan cara menggunakan email mass
di lampiran ini terdapat curriculum vittae dan foto saya
foto dan data Wanita tsb Thank's
ini adalah cara terakhirku ,di lampiran ini terdapat
oh ya aku tahu anda dr milis ilmu komputer
yah aku sedang membutuhkan pekerjaan
Doc.gz
Miyabi.zip
file.bz2
nadine.ace
need you.jar
thisfile.gz
video.bz2
P2P propagation
Lightmoon.G also attempts to spread via peer-to-peer applications by dropping copies of itself to folders containing the following strings:
download
shared
upload
The filenames of the dropped copies of the worm used may be any of the following:
Data<user name>.exe
Foto<user name>.exe
<user name>Porn.exe
New Folder(2).exe
New Folder.exe
It also uses the folder names found on that directory as filenames for its dropped copies.
Payload
Modifies System Settings
Worm:Win32/Lightmoon.G modifies the following registry entries:
Adds value: "DisableRegistryTools"
With data: "dword:00000001"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: "debugger"
With data: "%windir%\notepad.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
Adds value: "debugger"
With data: "%windir%\notepad.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
Adds value: "Hidden"
With data: "dword:00000000"
Adds value: "HideFileExt"
With data: "dword:00000000"
Adds value: "ShowSuperHidden"
With data: "dword:00000000"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Adds value: "UncheckedValue"
With data: "dword:00000000"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Adds value: "FullPath"
With data: "dword:00000001"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
Prevents files from running
Worm:Win32/Lightmoon.G deletes certain autostart entries for files if they contain the following strings:
ADie suka kamu
AllMyBallance
Alumni Smansa
AutoSupervisor
BabelPath
Bron-Spizaetus-cfirltrx
Bron-Spizaetus
Bron-Spizaetus-cgglmmrv
CueX44_stil_here
Device
DllHost
MSMSG
MSMSG
MomentEverComes
Pluto
Putri_Bangka
Putri_Indonesia
SMAN1_Pangkalpinang
SMA_nya_Artika
SaTRio ADie X
SysDiaz
SysRia
SysYuni
Task
Tok-Cirrhatus
Tok-Cirrhatus-1101
TryingToSpeak
ViriSetup
WinUpdateSupervisor
Winamp
Word
YourUnintended
YourUnintendes
dago
dkernel
drv_st_key
lexplorer
norman zanda
norman_zanda
service
templog
winfix
Some of these strings are related to the autostart entries of members of the
Brontok family of malware.
Deletes certain files
Worm:Win32/Lightmoon.G deletes certain files in the Windows folder if their names contain the following strings:
CintaButa*
FirstLove.exe*
KesenjanganSosial.exe
MyHeart.exe
ShellNew\*.exe
eksplorasi*
Logs keystrokes
Lightmoon.G monitors keystrokes entered by the user. It then sends the logged data to a remote site. System information such as drive, folder and file names can also be sent to the remote attacker.
Conducts denial of service (DoS) attacks
Lightmoon.G may perform denial of service attacks to any of the following websites:
www.vaksin.com
www.bsi.ac.id
www.bp.com
Downloads arbitrary files
Lightmoon.G attempts to download additional files from the Web page "<removed>hell<removed>/testms.php". It may also download the following files from another remote site:
update4.txt
zipfile2.txt
payload.txt
Additional Information
The dropped file "MoonLight.txt" contains the following strings:
:: I-Worm.MoonLight.J ::
Indonesian VM Society
Created By HellsPawn a.K.a B4bb1Cool
Can't You Handle It
Don't Panic , all of data are safe
Lightmoon.G also checks for Internet connection by connecting to google.com.
Analysis by Elda Dimakiling
