This week’s report deals with the appearance of the ‘L’ variant of the Lentin worm, which can terminate various processes in affected computers.
Lentin.L spreads rapidly in a file attached to an e-mail message which is difficult to spot as it varies from infection to infection. The name of the attachment which causes the infection is selected at random from a list, but it has an SRC, EXE or COM extension.
The ‘L’ variant of Lentin sends itself out to all contacts in the Windows, MSN Messenger, .NET Messenger and Yahoo Pager address books and to the e-mails it finds in the HTM files in the infected computer. Lentin.L tries to use the default SMTP server address in the infected computer to send out the e-mail messages, but if it does not find the necessary information, it uses one of the many SMTP server addresses contained in its code.
In order to ensure that it is run every time Windows is started, Lentin.L creates several entries in the Windows Registry. It also creates three files called WINSERVICES.EXE, NAV32_LOADER.EXE and TCPSVS32.EXE (which contain the worm’s infection code) and a copy of itself in the Windows system directory.
Finally, Lentin.L terminates several processes related to antivirus programs and firewalls, if they are active.
For further information about Lentin.L and other viruses, visit Panda Software’s Virus Encyclopedia at: www.pandasoftware.com/virus_info/encyclopedia/
About Panda Software’s Virus Laboratory
On receiving a possibly infected file, Panda Software’s technical staff get straight down to work. The file is analyzed and depending on the type, the action taken may include: disassembly, macro scanning, code analysis etc. If the file does in fact contain a new virus, the disinfection and detection routines are prepared and quickly distributed to users.