Weekly Virus Report – Mapson, Lentin.R and Naco.F Worms

Madrid, June 13, 2003 – This week’s virus report will focus on three worms Mapson (W32/Mapson), Lentin.R (W32/Lentin.R) and Naco.F (W32/Naco.F), and a virus/worm called Trile (W32/Trile).

Mapson is a malicious code that originated in Mexico and spreads via e-mail, using what has been dubbed ‘social engineering’. The e-mail carrying Mapson has variable subjects, message texts, sender’s address and attached files.

Mapson can also spread through P2P (peer to peer) file-sharing applications such as KaZaA or Morpheus. In order to do this, in the shared directories of these programs, it creates a large number of files that suggest they contain images of celebrities, computer programs, etc.

When it first appeared, Mapson caused a large number incidents in Spanish-speaking countries. For this reason, Panda Software quickly made its free PQREMOVE utility available to all users, which can clean and restore any computer infected by this worm.

Lentin.R is a dangerous worm, as it can end the active processes in affected computers and send confidential information to the virus author via e-mail. This worm spreads in an e-mail message with highly variable characteristics and is automatically run when the message carrying the worm is viewed through the preview pane in Outlook. In order to do this, it exploits a vulnerability in Internet Explorer (versions 5.01 and 5.5).

It is also programmed to launch denial of service attacks (DoS) against five websites. This worm also checks if the compromised computer is an IIS (Internet Information Server). If it is, this malicious code modifies the files with an HTM or HTML in the root directory by adding two links to a web page created by the author of the worm.

Naco.F is a worm that is designed to end the processes and delete the files associated to different antivirus and security applications. In order to spread, it sends a copy of itself to all the contacts in the Windows address book in an e-mail message with variable subjects and message texts. However, the attached file is usually called CSRSS32.exe.

Finally, Trile is a dangerous virus/worm that infects a large number of files with an EXE extension. This malicious code reaches computers in an e-mail message with a variable subject, message text, and file name. However, the attachment always has a double extension; the first is one of the following: GIF, MPG, MP3, XLS, WAV, DAT, JPG, HTM, XLS, TXT, MDB, BMP, DOC or ZIP and the second is PIF, BAT or SCR.

When the file is run, Trile sends itself out to all the contacts in the address book in Outlook. It also creates a directory called C:\My Downloads, if this directory does not already exist, and generates multiple copies of itself in it. The names of these files suggest they contain interesting computer programs or games, for example: Civilization 3 Full Downloader.exe, Need For Speed 5 Porsche Unleashed Patch.exe or Star Wars Starfighter ISO – Full Downloader.exe. Finally, the worm also ends processes related to antivirus and IT security applications.

For further information about these and other viruses, visit Panda Software’s Virus Encyclopedia at: http://www.pandasoftware.com/virus_info/.

Additional information:

– DoS / Denial of Service: This is a type of attack, sometimes caused by viruses, that prevents users from accessing certain services (in the operating system, web servers etc.).

– Root directory: This is the main directory or folder on a disk or drive.

More definitions of virus and antivirus terminology at:
http://www.pandasoftware.es/virus_info/glosario/default.aspx