Worm:Win32/Lightmoon.H is a mass-mailing worm that spreads via e-mail and peer-to-peer (P2P) applications. The worm also disables the execution of Windows system tools, logs keystrokes and attempts to download updates from a user directory on the Internet domain "geocities.com".
Installation
When run, the worm copies itself to the following locations on the local computer:
-
%windir%\sa-754277.exe
-
%windir%\Ti534862ta.exe
-
%windir%\system32\116276534862l.exe
-
%windir%\system32\X50234go\Z116276cie.cmd
-
%windir%\Downloaded Program Files\Lagu - Server < many spaces > .scr
-
%windir%\ime\shared\Gallery < many spaces > .scr
-
%windir%\M46040\EmangEloh.exe
-
%windir%\M46040\Ja845720bLay.com
-
%windir%\M46040\smss.exe
-
%windir%\pchealth\UploadLB\Lagu - Server < many spaces > .scr
-
%windir%\SoftwareDistribution\Download\TutoriaL HAcking < many spaces > .exe
-
%USERPROFILE%\Templates\O53635Z\service.exe
-
%USERPROFILE%\Templates\O53635Z\TuxO53635Z.exe
-
%USERPROFILE%\Templates\O53635Z\winlogon.exe
-
%ProgramFiles%\Movie Maker\Shared\TutoriaL HAcking < many spaces > .exe
-
%USERPROFILE%\Start Menu\Programs\Startup\sql.cmd
-
%ProgramFiles%\Common Files\Microsoft Shared\Titip Folder Jangan DiHapus < many spaces > .exe
The worm may copy itself to other directories of third party applications or the C:\MSOCache subfolder, for example:
-
c:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\RaHasIA < many spaces > .exe
Worm:Win32/Lightmoon.H modifies the registry in multiple locations to run the dropped worm copies at each Windows start, even in a Windows Safe Mode startup session.
Modifies value: "AlternateShell"
From data: "cmd.exe"
To data: "116276534862l.exe"
In subkey: HKLM\SYSTEM\ControlSet001\Control\SafeBoot
Modifies value: "AlternateShell"
From data: "cmd.exe"
To data: "116276534862l.exe"
In subkey: HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
Sets value: "AlternateShell"
With data: "116276534862l.exe"
In subkey: HKLM\SYSTEM\ControlSet002\Control\SafeBoot
Adds value: "T1460277TT4"
With data: "%windir%\system32\116276534862l.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "T35Z162"
With data: "%windir%\sa-754277.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Modifies value: "Shell"
From data: "Explorer.exe"
To data: "explorer.exe, "%USERPROFILE%\Templates\O53635Z\TuxO53635Z.exe""
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Modifies value: "Userinit"
From data: "%windir%\system32\userinit.exe,"
To data: "%windir%\system32\userinit.exe , "%windir%\M46040\Ja845720bLay.com""
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Spreads Via...
Mass mailing
Worm:Win32/Lightmoon.G spreads by sending a copy of itself attached to an email to addresses found in the infected computer.
It searches for email addresses from files in the system that have the following extensions:
asp
asp
eml
htm
html
js
php
pl
rtf
spx
txt
It avoids sending copies to email addresses, which contain the following strings that are related to computer security company Internet domain names:
norman
norton
panda
mcafee
syman
sophos
trend
vaksin
novell
Worm:Win32/Lightmoon.H then searches for the Default Mail Account, SMTP server, and SMTP email address by querying the following registry keys:
HKCU\Software\Microsoft\Internet Account Manager
HKLM\Software\Microsoft\Internet Account Manager\Accounts
The worm may also use stored credentials for other e-mail services offered by Friendster, Yahoo!, Gmail and Hotmail. It uses its own SMTP engine in order to spread via e-mail. It tries to construct the SMTP servers to be used by appending the harvested e-mail address domain names to the following strings:
gate.
mail.
mail1.
mx.
mx1.
mxs.
ns1.
ns1.
relay.
smtp.
The email sent out by Worm:Win32/Lightmoon.H has the following details:
-
Subject field (any of the following):
Tolong Aku..
Tolong
hi please see this file
hey Indonesian porn Tiara lestari pic's
free screen saver romance for you
please read again what i have written to you
thank's for you register
your acount details are attached
Registration Confirmation
Cek This
hello
RE:bla bla bla
RE:HeLLO GuYs
-
Attachment file name (any of the following):
curriculum vittae.zip
USE_RAR_To_Extract.ace
ZIPPED.zip
FILEATTACH.bz2
Doc.gz
file.bz2
thisfile.gz
TITTA'S Picture.jar
P2P propagation
Worm:Win32/Lightmoon.H attempts to spread via peer-to-peer applications by dropping copies of itself to folders containing the following strings:
download
share
upload
The filenames of the dropped copies of the worm used may be any of the following:
TutoriaL HAcking < many spaces > .exe
Lagu - Server < many spaces > .scr
Data DosenKu < many spaces > .exe
Titip Folder Jangan DiHapus < many spaces > .exe
Love Song < many spaces > .scr
New mp3 BaraT !! < many spaces > .exe
THe Best Ungu < many spaces > .scr
Blink 182 < many spaces > .exe
Norman virus Control 5.18 < many spaces > .exe
Windows Vista setup < many spaces > .scr
Gallery < many spaces > .scr
RaHasIA < many spaces > .exe
It also uses the folder names found on that directory as filenames for its dropped copies.
Payload
Disables system utilities
Worm:Win32/Lightmoon.H modifies registry data to disable the Windows system utilities "MSCONFIG.EXE" and "REGEDIT.EXE" so that attempts to execute either will instead run the Windows application "NOTEPAD.EXE".
Adds key: "msconfig.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Adds value: "debugger"
With data: "notepad.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
Adds key: "regedit.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Adds value: "debugger"
With data: "notepad.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe
The worm also disables the use of system registry tools by adding the following registry entry:
Adds value: "DisableRegistryTools"
With data: "dword:00000001"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Deletes registry data
The worm deletes registry keys that contain the following strings:
Tok-Cirrhatus
AllMyBallance
MomentEverComes
TryingToSpeak
YourUnintended
YourUnintendes
lexplorer
dkernel
Tok-Cirrhatus-1101
Bron-Spizaetus-cgglmmrv
Bron-Spizaetus
Bron-Spizaetus-cfirltrx
ADie suka kamu
SaTRio ADie X
Downloads updates
The worm attempts to download binary updates from a user directory in the Web domain "geocities.com".
Logs keystrokes
Worm:Win32/Lightmoon.H attempts to log keystrokes and then send them via HTTP POST to the Web domain "apasajalah.host.sk".
Additional Information
Worm:Win32/Moonlight.H creates and stores data in the following registry keys:
HKLM\SOFTWARE\Microsoft\TUX
HKLM\SOFTWARE\Microsoft\TUX\biang
HKLM\SOFTWARE\Microsoft\TUX\Path
The worm also creates a short text file as "%windir%\MoonLight.txt". It contains the following declaration:
:: The NewMoonLight ::
Created by HeLLsPAwn A.K.A B4bb1cool
(c) 2006 Depok ~ Indonesia
Analysis by Jaime Wong
