W32/Mapson-A

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Mapson-A is an email and P2P worm. When run the worm copies itself into the Windows system folder with the following filenames:

amigos.pif
amigototote.pif
amor-por-ti.pif
antiwinlogon.pif
antrox.scr
BigBrother.pif
bugmsn.pif
chistesgraficos.pif
chupamelo.pif
comotegustan.pif
CracksPPZ.pif
cristina-aguilera.pif
defaced-madonna-site.pif
eggbrother.exe
EICAX.COM
existeee.pif
financiamiento.pif
GEDZAC.PIF
grancarnal.exe
grande.pif
hackeahotmail.pif
historial.pif
hotmail.pif
kamasutra.pif
lacosha@hotmail.com
LatinCard.pif
linuxandmicrosoft.pif
Lorenaaaa.pif
Madonna_sEXY.pif
MariaVirgen.pif
Matrix-Trailer.pif
mujeres.pif
Musica.pif
No-Spam.exe
nuevovirus.txt .pif
Oradores.pif
osamabinhuevoback.exe
parejaideal.txt.pif
petardas.pif
porqueteamo.pif
projimo.pif
relacionsexual.pif
resetarios.pif
SARS.pif
seguridad_en_hotmail.pif
serhacker.pif
Shakira.pif
solo-a-ti.pif
Spamno.pif
teamo.exe
te-pido.scr
test-idiota.pif
testpasion.pif
thalialoca.pif
TutorialVBSvirus.pif
WindowsMediaPlayerBug.pif
www.mfernanda.com
www.vsantiviru.com
www.zonaviru.com
zorrotttas.pif

These filenames are also used as the email attachment filenames.

W32/Mapson-A collects email addresses from the MSN Messenger contact list and sends itself to these email addresses as an attachment. The attachment will have one of the filenames listed above.

The worm also copies itself into <Windows System folder>\Lorraine.exe and C:\Lorraine.vxd and sets the registry entry

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lorraine =
<Windows system folder>\Lorraine.exe

The worm displays the fake message "Error. Archivo Parcialmente Corrupto remplacelo por uno nuevo".

W32/Mapson-A copies itself into the following shared P2P folders:

\edonkey2000\incoming\
\gnucleus\downloads\
\icq\shared files\
\KaZaA\My Shared Folder\
\kazaa lite\my shared folders\
\limewire\shared\
\morpheus\my shared folder\
\Grokster\My Grokster\

The filename of the copied file is created as follows:
Filename format <string1> <string2>.gif          .exe
(e.g. Nude Pic Britney Spears.gif          .exe)

with <string1> taken from -
Desnuda en la playa
las pelotas de
Nude Pic
Sexo en la playa con
Sexy Beach
Sexy Bikini

and <string2> from -
Alejandra Guzman
Angelica Vale
Brenda
Britney Spears
Cameron dias
Celine Dion
Francini
Galilea Montijo
Halle berry
Kylie Minogue
Laura Pausini
Lili Brillanti
Lorena
Paulina Rubio
Pink
Shakira
Thalia

or <string3> <string4>.exe
(e.g. Kazaa Media Desktop KeyGen.exe)

where <string3> is taken from -
Ad-aware
Adobe Acrobat Reader (32-bit)
AOL Instant Messenger (AIM)
Biromsoft WebCam
Copernic Agent
Delphi 6
Diet Kaza
DirectDVD
DivX Video Bundle
Download Accelerator Plus
FireWorks 4
FIreWorks MX
Global DiVX Player
Grokster
ICQ Lite
ICQ Pro 2003a beta
iMesh
JetAudio Basic
Kaspersky Antivirus
Kazaa Download Accelerator
Kazaa Media Desktop
Matrix Movie
McAfee Antivirus
Microsoft Internet Explorer
Microsoft Office XP
Microsoft Windows Media Player
Microsoft Windows 2003
Morpheus
msn hack
MSN Messenger (Windows NT/2000)
Nero Burning ROM
NetPumper
Network Cable e ADSL Speed
Norton Antivirus
Office 2003
Panda Antivirus
PerAntivirus
Pop-Up Stopper
QuickTime
RealOne Free Player
Registry Mechanic
SnagIt
SolSuite 2003: Solitaire Card Games Suite
Spybot - Search & Destroy
Trillian
Virtual Girl Sofia
Visual Studio Net
Winamp
WinMX
WinRAR
WinZip
WS_FTP LE (32-bit)
XoloX Ultra
ZoneAlarm

and <string4> from -
crack all versions
Cracked
Full version
KeyGen

In July the worm displays 2 message boxes about the author and the worm, one with the title "Lorraine Worm [GEDZAC LABS 2003]" and the message "Creado por Falckon/GEDZAC" and the second with the same title and a message containing the text "Dedicado a mi G. Lorena R. S.".

W32/Mapson-A also drops C:\lorraine.hta, and runs this file on the 4th of any month to display information about the worm, which includes the text:

"W32/Lorraine - Gedzac Labs 2003
//***********[GEDZAC LABS 2003]***********//
W32/Lorraine by Falckon/GEDZAC
wOrm hecho en Delphi 6 Dedicado a mi Lorena
Hecho en MéXiKO"

download Try Sophos products for free
Download now