Weekly Virus Report – Laroux Macro Virus, Napp, Lioten, Prestige and Lentin Worms
The malicious code described in this week’s report include a macro virus called Laroux.MW (X97M/Laroux.MW) and the following computer worms: Napp (W32/Napp), Lioten (W32/Lioten), Prestige.B (W32/Prestige.B) and Lentin.G (W32/Lentin.G).
Laroux.MW spreads through previously infected spreadsheets, which automatically infect Excel templates (files with an XLS extension). Through this process it manages to infect all the Excel files that use this template or that are generated with it.
Laroux.MW contains one module called “xl5galary” and reaches computers through various means (e-mail messages, computer networks, CD-ROMs, Internet downloads, FTP, floppy disks, etc.).
Napp is a worm that modifies the files with an EXE extension that are stored on the A: drive, preventing them from functioning correctly. A clear indication that this worm has reached a computer is a fake Windows error message displayed on screen.
The second worm we will look at today is Lioten, which stands out for its capacity to spread rapidly across networks. In order to do this, it uses IP addresses and Windows passwords selected at random. Although this worm does not carry out any destructive actions, its large capacity to reproduce and spread can affect the performance of infected servers.
The third worm in this week’s report is Prestige.B, which reaches computers in an e-mail message that is easy to recognize because its subject is: “Nuevas grietas del Prestige nos amenazan!”, and the sender is: “Greenpace boletin@greenpace.org”. The effects of variant B of Prestige are more annoying than damaging, as once it has carried out its infection it displays a message which prompts users to install a Plug-In (program update) that will allow them to view exclusive images of the Prestige oil tanker.
We are going to close this virus report with Lentin.G, a worm that spreads through e-mail messages with variable subject headings and includes an attached file, which carries out the infection. This file usually has a double extension. The first extension can be any of the following: PDF, GIF, PPT, JPG or DOC, whereas the second is always SCR the extension of screensavers, which this malicious code uses to disguise itself.
Lentin.G terminates several processes in affected computers, preventing various programs from functioning, such as antiviruses and firewalls. It also creates several files in the Windows system directory and creates entries and modifies a key in the Windows Registry.