high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 18 June 2005 15:00:23 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please contact technical support.
More Information
W32/Lamud-A is a worm for the Windows platform.
When run, W32/Lamud-A copies itself to the Windows folder as msinst26.exe and then drops the following files:
[Windows folder]\ACD Wallpaper.bmp
[Windows folder]\davcsync.exe
[Windows folder]\lmdll.dll
[current user's Temp folder]\[random text].tmp (copy of "ACD Wallpaper.bmp")
The worm sets the wallpaper for the current user to the "ACD Wallpaper.bmp" file in the Windows folder. The following registry entry is set:
HKCU\Control Panel\Desktop
LMDWallpaper
"[Windows folder]\ACD Wallpaper.bmp"
W32/Lamud-A sets the following registry entries in order to run davcsync.exe each time a user logs on:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Perfomance Monitor
"davcsync.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Perfomance Monitor
"davcsync.exe"
The following additional registry changes are created by the worm:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispCPL
dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lmdservice
DLLName
"lmdll.dll"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lmdservice
Logon
"LoadLMDService"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lmdservice
Startup
"LoadLMDService"
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lmdservice
Asynchronous
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lmdservice
Impersonate
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\
Hidden\NOHIDORSYS
CheckedValue
dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
dword:00000000
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
dword:00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\
Hidden\NOHIDDEN
CheckedValue
dword:00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\
Hidden\SHOWALL
CheckedValue
dword:00000000
W32/Lamud-A makes periodic attempts to copy itself to drives A: and B: and can spread through network shares. When spreading through networks, W32/Lamud-A uses the following filenames:
Games.exe
Pictures.exe
Images.exe
Downloads.exe
My documents.exe
Video.exe
Music.exe
New.exe
XXX.exe
Porno.exe
Private.exe
The worm copies itself to any network paths containing the following strings:
Distri
Distrib
Distry
Distryb
Documents and Settings\All Users\
Documents and Settings\All Users\Desktop
Documents and Settings\All Users\Favorites
Documents and Settings\All Users\Shared documents
Documents and Settings\All Users\Start Menu\Programs\Startup
Documents and Settings\Default User\
Documents and Settings\Default User\Desktop
Documents and Settings\Default User\Favorites
Documents and Settings\Default User\Shared documents
Documents and Settings\Default User\Start Menu\Programs\Startup
Inetpub\ftproot
Inetpub\ftproot\pub
Instal
Install
My Documents
Win95\Desktop
Win95\Start Menu\Programs\Startup
Win98\Desktop
Win98\Start Menu\Programs\Startup
Win98SE
Win98SE\
Win98SE\Desktop
Win98SE\Start Menu\Programs\Startup
Windows
Windows\
Windows\Desktop
Windows\Start Menu\Programs\Startup
|
