W32.Lamin

W32.Lamin is a virus that infects Portable Executable (PE)* files. The virus also contains a keystroke logger and an IRC backdoor Trojan.

NOTE: Definitions that have dates earlier than December 9, 2002, may detect this threat as BloodHound.W32.1.

Type: Virus
Infection Length: 1212 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Windows 3.x, Microsoft IIS, Macintosh, OS/2, Unix, Linux

Virus Definitions (Intelligent Updater) * December 10, 2002 Virus Definitions (LiveUpdate™) ** December 11, 2002 * Intelligent Updater virus definitions are released daily, but require manual download and installation. Click here to download manually. ** LiveUpdate virus definitions are usually released every Wednesday. Click here for instructions on using LiveUpdate.

Wild: Number of infections: 0 - 49 Number of sites: 0 - 2 Geographical distribution: Low Threat containment: Easy Removal: Easy

Threat Metrics Wild: Low Damage: Low Distribution: Low

When a file that is infected with W32.Lamin runs, the virus attempts to do the following:

Decryption
W32.Lamin is a polymorphic virus. This means that the virus is encrypted, and that the encryption changes between infections. Because the viral body is encrypted, the virus must start its execution by decrypting the viral body.

The encryption that the virus uses is very simple. The key is always four bytes long, and the encryption scheme is always a simple xor.

.DLL file insertion
After the viral body is decrypted, the virus inserts a .dll file on the computer. It is this inserted .dll file that performs all of the malicious actions on the system. The .dll file is kept within the viral body in an encrypted state. Therefore, the virus must first decrypt the .dll file. After the .dll file is decrypted, it is inserted on the computer as C:\Rar$DI01.903 or as a random file name in the %system% folder.

NOTE: %system% is a variable. The virus locates the System folder and copies itself to that location. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

The virus then executes this newly inserted .dll file. After the virus is executed, it jumps to the original entry point of its host program and allows the original host to execute.

.DLL file actions
The inserted .dll file is a keystroke logger and an IRC backdoor Trojan. It is also this .dll file that infects other PE files. It goes through all files on the system as it tries to find suitable PE files to infect.

The inserted .dll file is multithreaded. This means that it can perform several different actions concurrently.

Keyboard Logger
The .dll file creates a thread that monitors all keystrokes. It logs the keystrokes in a file on the computer.

IRC Backdoor Trojan
The .dll file attempts to connect to an IRC server and join a chat room on that server. However, before it connects to the server, it attempts to bypass certain personal firewall products by creating registry keys that allow the communication.

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Run a full system scan. Delete and, if it is necessary, replace all files that are detected as W32.Lamin.
3. Reverse any changes that the virus may have made to your personal firewall software.

• Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers once each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
• Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
  
  Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

1. Start your Symantec antivirus program, and make sure that it is configured to scan all files.
• Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
• Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
2. Run a full system scan.
3. If any files are detected as infected with W32.Lamin, click Delete. If necessary, replace the deleted file with a clean backup copy.

Additional information:

* What are Portable Executable (PE) files?
PE files are files that are portable across all Microsoft 32-bit operating systems. The same PE-format executable can be executed on any version of Windows 95, 98, Me, NT, 2000, and XP. All PE files are executable, but not all executable files are portable.

A common example of a Portable Executable file is a screen saver (.scr) file.

Backdoor
If the IRC Backdoor Trojan component was installed on the computer, it is possible that your system has been accessed remotely by an unauthorized user. For this reason it is impossible to guarantee the integrity of a system that has had such an infection. The remote user could have made changes to the system, including but not limited to the following:

• Stealing or changing passwords or password files
• Installing remote-connectivity host software, also known as backdoors
• Installing keystroke logging software
• Configuring firewall rules
• Stealing credit card numbers, banking information, personal data, and so on
• Deleting or modifying files
• Sending inappropriate or even incriminating material from a customer's email account
• Modifying access rights on user accounts or files
• Deleting information from log files to hide such activities

Write-up by: Neal Hindocha