Name:

Worm.Lightmoon.h

Descr. Added:

July 25, 2012

Type:

Worm

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

When Worm.Lightmoon.h is executed, it performs the following activities:

It copies itself to the following locations on the system:

%UserProfile%\Start Menu\Programs\Startup\sql.cmd
%UserProfile%\Templates\O74747Z\service.exe
%UserProfile%\Templates\O74747Z\TuxO74747Z.exe
%UserProfile%\Templates\O74747Z\winlogon.exe
%ProgramFiles%\Common Files\Microsoft Shared\Love Song < many spaces > .scr
%ProgramFiles%\Movie Maker\Shared\Lagu - Server < many spaces > .scr
%Windir%\Downloaded Program Files\Gallery < many spaces > .scr
%Windir%\ime\shared\Norman virus Control 5.18 < many spaces > .exe
%Windir%\pchealth\UploadLB\New mp3 BaraT !! < many spaces > .exe
%Windir%\SoftwareDistribution\Download\Titip Folder Jangan DiHapus < many spaces > .exe
%Windir%\system\msvbvm60.dll
%system%\227487656073l.exe
%system%\X61445go\Z227487cie.cmd
%Windir%\M46840\EmangEloh.exe
%Windir%\M46840\Ja067831bLay.com
%Windir%\M46840\Ja67831bLay.com
%Windir%\M46840\smss.exe
%Windir%\sa-865388.exe
%Windir%\Ti656073ta.exe
%Windir%\[TheMoonlight].txt

The "%Windir%\MoonLight.txt" file contains the following text:

:: The NewMoonLight ::

Created by HeLLsPAwn A.K.A B4bb1cool

(c) 2006 Depok ~ Indonesia

It creates/modifies the following registry entries:

T47Z274 = "%Windir%\sa-865388.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Userinit = "%Systyem%\userinit.exe , "%Windir%\M46840\Ja67831bLay.com""
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Shell = "explorer.exe, "%UserProfile%\Templates\O74747Z\TuxO74747Z.exe""
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

T1468388TT4 = "%system%\227487656073l.exe"
HKU\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\TUX

HKLM\Software\Microsoft\TUX\biang

HKLM\Software\Microsoft\TUX\Path