W32.Mapson.C.Worm

1. Copies itself to the %System% folder as the following files:
   
   analysis_mzn6.pif
   animation-simpsons.scr
   Cards_love.pif
   counsels.pif
   documents.scr
   friends.pif
   hoax-list.com
   IEXPLORER_STACK.pif
   Ivalue-much.pif
   jokess.scr
   Lorena.exe
   love-forever.pif
   my_best_friend.pif
   NSPCLEAN.exe
   OsamaBinLadenJokes.scr
   Photookosmike.scr
   reality_dreams.pif
   real_love.scr
   sexual_steps.pif
   steps.pif
   
   NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   
   
2. Copies itself as C:\Mark.vxd.
   
   
3. Adds the value:
   
   "LOAD32"="%System%\Lorena.exe"
   
   to the registry key:
   
   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   
   so that the worm runs each time you start Windows.
   
   
4. Terminates the following processes:
   
   _AVP32.exe
   _AVPCC.exe
   _AVPM.exe
   ADVXDWIN.exe
   AGENTW.EXE
   ALERTSVC.exe
   ALOGSERV.exe
   AMON9X.exe
   ANTI-TROJAN.exe
   ANTS.exe
   APVXDWIN.exe
   ATCON.exe
   ATUPDATER.exe
   ATWATCH.exe
   AUTODOWN.exe
   AVCONSOL.exe
   AVGCC32.exe
   AVGCTRL.exe
   AVGSERV.exe
   AVGSERV9.exe
   AVGW.exe
   AVKPOP.exe
   AVKSERV.exe
   AVKSERVICE.exe
   AVKWCTL9
   AVP32.exe
   AVPCC.exe
   AVPM.exe
   AVPM.EXE
   AVSCHED32.exe
   AVSYNMGR.exe
   PAV.EXE
   AVWINNT.EXE
   AVXMONITOR9X.exe
   AVXMONITORNT.exe
   AVXQUAR.exe
   AVXQUAR.EXE
   AVXW.exe
   BLACKD.exe
   BLACKICE.exe
   CCAPP.EXE
   CCEVTMGR.EXE
   CCPXYSVC.EXE
   ETRUSTCIPE.EXE
   EVPN.EXE
   EXPERT.exe
   F-AGNT95.exe
   FAMEH32.exe
   F-PROT.exe
   F-PROT95.exe
   FP-WIN.exe
   FRW ERV.exe
   IOMON98.exe
   NAV AUTO-PROTECT.exe
   NAVAP.EXE
   NAVAPSVC.EXE
   Navapw32.exe
   NAVENG
   NAVEX15.EXE
   NAVLU32.EXE
   NAVW32.EXE
   NAVWNT.EXE
   NDD32.EXE
   NPSSVC.EXE
   NSCHED32.EXE
   PCCIOMON.EXE
   PCCNTMON.EXE
   PCCWIN97.EXE
   PCCWIN98.EXE
   PCSCAN.EXE
   PERSFW.EXE
   PERSWF.EXE
   POP3TRAP.EXE
   RAV7.EXE
   VPC32.EXE
   VPTRAY.EXE
   VSCHED.EXE
   AVCONSOL.EXE
   VSECOMR.EXE
   VSHWIN32.EXE
   VSMAIN.EXE
   VSMON.EXE
   VSSTAT.EXE
   ZONEALARM.EXE
   ICLOAD95.EXE
   ICMON.EXE
   ICSUPP95.EXE
   ICLOADNT.EXE
   ICSUPPNT.EXE
   IFACE.EXE
   Regedit.EXE
   Regedit.com
   msconfig.EXE
   sfc.EXE
   sysedit.EXE
   regedt32.EXE
   NSPCLEAN.exe
   taskmgr.exe
   
   
5. Attempts to copy itself to the following folders:
   
   C:\Program Files\KaZaA\My shared Folder
   C:\Program Files\KaZaA Lite\my shared folders
   C:\Program Files\\edonkey2000\incoming
   C:\Program Files\Gnucleus\downloads
   C:\Program Files\ICQ\shared files
   C:\Program Files\Limewire\shared
   C:\Program Files\Morpheus\my shared folder
   C:\Program Files\Grokster\My Grokster
   
   as:
   
   Ad-aware .exe
   AOL Instant Messenger (AIM).exe
   Avril Lavigne Fucked Bitch.exe
   Biromsoft WebCam .exe
   Copernic Agent .exe
   Delphi 6 Serial.exe
   Diet Kaza .exe
   DirectDVD .exe
   Download Accelerator Plus.exe
   Global DiVX Player .exe
   Grokster.exe
   ICQ Lite .exe
   ICQ Pro 2003a beta .exe
   iMesh .exe
   Kaspersky Antivirus Crack.exe
   Kazaa 2.05 beta .exe
   Kazaa Download Accelerator .exe
   Kazaa Media Desktop .exe
   Mcafee Serial.exe
   Microsoft Internet Explorer .exe
   Microsoft Office XP Serial.exe
   Microsoft Windows 2003 Serial.txt .exe
   Microsoft Windows Media Player .exe
   Morpheus .exe
   Msn Hack.exe
   Nero Burning ROM .exe
   Network Cable e ADSL Speed .exe
   NOD32 Antivirus Crack.exe
   Norton Antivirus Crack.exe
   Office 2003 Serial.exe
   PerAntivirus Crack.exe
   Pop-Up Stopper .exe
   QuickTime .exe
   Registry Mechanic.exe
   Shakira Sucks.jpg.exe
   SnagIt .exe
   Sofía Vergara Sexy Bikini.exe
   Spybot - Search & Destroy .exe
   StarCraft No CD Crack.exe
   Trillian .exe
   Visual Studio Net Serial.exe
   Winamp.exe
   WinMX .exe
   WinZip.exe
   WS_FTP LE (32-bit) .exe
   XoloX Ultra .exe
   ZoneAlarm Full Version.exe
   
   
6. Attempts to send itself to all the email addresses it finds in the MSN Messenger contact list. The Subject line, Message body, and attachment vary. Also, the email may have spoofed the From field.
   
   Some mail examples:
   
   From: antivirus@nod32.com|
   Subject: Alerta por Virus W32/Mapson
   Message:
   En los últimos días se ha ido detectando un nuevo virus llamado Mapson, ya se han detectado varios infectados de este gusano, si usted se encuentra infectado podrá remover este gusano con esta herramienta gratuita que le hemos enviado, una vacuna que hemos diseñado especialmente para usuarios de hotmail, si usted esta de acuerdo haga clic en el adjunto para empezar el scaneo y eliminar este despreciable gusano de su maquina. Gracias.
   Attachment: NSPCLEAN.exe
   
   Subject: Re:Reenviamelo de nuevo
   Message: Si te gusto reenviamelo.
   Attachment: bromas.scr
   
   Subject: Re:Quitan cuentas de hotmail.
   Message:
   Al parecer hotmail ya esta muy saturado de usuarios y amenazan con quitar cuentas, pero se puede evitar siguiendo unos pasos, léelos y no tendrás problemas, chau
   Attachment: pasos.pif
   
   Subject: Problema de seguridad en Internet Explorer
   Message:
   Un problema de seguridad a sido detectado en Internet Explorer se recomienda aplicar los correspondientes parches ya que esta vulnerabilidad puede permitir la ejecución arbitraria de código en la maquina afectada, para saber mas acerca de esta vulnerabilidad favor de leer el documento y así prevenir el ataque de un virus informativo
   Attachment: IEXPLORERSTACK.pif
   
   Subject: Re: LTelo y reenvfalo a quienes mas amas.
   Message:
   Si el documento expone lo que sientes hacia otra persona, reenvíalo a tus amigos y un sueño se hará realidad.
   Attachment: amor_real.pif
   
   Subject: Si no te late....
   Message:Si no te late, devuTlvemelo
   Attachment: fotokosmiko.scr
   
   Subject: Lista de Hoaxes
   Message:
   Te envío una lista de hoaxes, virus falsos, para que estés prevenido y no hagas caso a las mentiras, chau cuídate
   Attachment: hoax-list.com
   
   Subject: Para mis amigos
   Message:Los mejores chistes que tengo, disfrutenlos
   Attachment: OsamaBinLadenJokes.scr
   
   
7. If the current system date is the 4th of any month, the worm will create C:\lorraine.c.hta and download a .html file from the Web site, http:/ /www.gratisweb.com.
   
   
8. If the current system month is October, the worm will display messages that have the following characteristics:
   
   Title: W32/Lorraine.c [GEDZAC LABS 2003]
   Message: Bi0C0ded by Falckon/GEDZA
   
   Title: W32/Lorraine.c [GEDZAC LABS 2003]
   Message: Lorraine ReC0deD and Reloaded :P

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.