Win32/NoonLight [Threat Name] go to Threat

Win32/NoonLight.B [Threat Variant Name]

Category worm
Size 32768 B
Detection created Jun 30, 2006
Detection database version 1635
Aliases Worm:Win32/Lightmoon.H (Microsoft)
  W32.Rontokbro@mm (Symantec)
  WORM_MOONLIGHT.B (TrendMicro)
Short description

Win32/NoonLight.B is a worm that spreads via e-mail, P2P networks and shared folders. The file is run-time compressed using PECompact .

Installation

When executed, the worm creates the following folders:

  • %windir%\­%variable1%
  • %templates%\­%variable2%
  • %system%\­%variable3%

The worm creates the following files:

  • %windir%\­%variable1%\­EmangEloh.exe
  • %windir%\­%variable1%\­Ja%variable4%bLay.com
  • %windir%\­%variable1%\­smss.exe
  • %templates%\­%variable2%\­service.exe
  • %templates%\­%variable2%\­Tux%variable2%.exe
  • %templates%\­%variable2%\­winlogon.exe
  • %system%\­%variable3%\­Z0%variable5%cie.cmd
  • %system%\­%variable3%\­Z%variable5%cie.cmd
  • %system%\­0%variable5%%variable6%l.exe
  • %system%\­%variable5%%variable6%l.exe
  • %windir%\­Ti%variable6%ta.exe
  • %windir%\­sa-%variable7%.exe
  • %windir%\­system\­msvbvm60.dll
  • %altstartup%\­sql.cmd

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­TUX\­Path]
    • "1" = "%variable1%"
    • "2" = "%variable2%"
    • "3" = "%variable3%"
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Settings\­noGods\­appActive]
    • "service.exe" = "%variable8%"
    • "smss.exe" = "%variable9%"
    • "EmangEloh.exe" = "%variable10%"
    • "winlogon.exe" = "%variable11%"
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Settings\­untukmu\­version]
    • "me" = "4"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­TUX\­biang]
    • "1" = "%variable5%"
    • "2" = "%variable7%"
    • "3" = "%variable6%"
    • "4" = "%variable4%"
    • "5" = "%variable13%"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "HideFileExt" = 1
    • "Hidden" = 0
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­CabinetState]
    • "FullPath" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableRegistryTools" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­User Shell Folders]
    • "Common Startup" = "%system%\­%variable3%"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes]
    • "scrfile" = "File Folder"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot]
    • "AlternateShell" = "0%variable5%%variable6%l.exe"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet002\­Control\­SafeBoot]
    • "AlternateShell" = "%variable5%%variable6%l.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­msconfig.exe]
    • "debugger" = "%windir%\­notepad.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­regedit.exe]
    • "debugger" = "%windir%\­notepad.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­SuperHidden]
    • "UncheckedValue" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­User Shell Folders]
    • "Common Startup" = "C:\­WINDOWS\­system32\­%variable3%"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess]
    • "Start" = 0

The worm may delete the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "MomentEverComes" = "%filepath%"
    • "Tok-Cirrhatus-1101" = "%filepath%"
    • "SaTRio ADie X" = "%filepath%"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "TryingToSpeak" = "%filepath%"
    • "YourUnintended" = "%filepath%"
    • "YourUnintendes" = "%filepath%"
    • "lexplorer" = "%filepath%"
    • "dkernel" = "%filepath%"
    • "Bron-Spizaetus-cgglmmrv" = "%filepath%"
    • "Bron-Spizaetus" = "%filepath%"
    • "Bron-Spizaetus-cfirltrx" = "%filepath%"
    • "ADie suka kamu" = "%filepath%"

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "T%variable8%" = "%windir%\­sa-%variable7%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "T1%variable9%TT4"="%system%\­%variable5%%variable6%l.exe"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Shell" = "explorer.exe, "%templates%\­%variable2%\­Tux%variable2%.exe""
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Userinit"  ="%system%\­userinit.exe , "%windir%\­%variable1%\­Ja%variable4%bLay.com"

A string with variable content is used instead of %variable1-13%, %filepath% .

Spreading via e-mail

Win32/NoonLight.B is a worm that spreads via e-mail.


E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .asp
  • .doc
  • .eml
  • .htm
  • .php
  • .rtf
  • .tml
  • .txt
  • .wab

Addresses containing the following strings are avoided:

  • ..
  • .l
  • htm
  • mcafee
  • microsoft
  • MoonMail
  • norman
  • norton
  • novell
  • panda
  • rar
  • sophos
  • suport
  • Syman
  • Trend
  • vaksin
  • virus
  • virus
  • www.
  • xxx
  • yahoogroup
  • yourdomain
  • yoursite
  • yyyy
  • zip

Some of the following strings may be used to form the sender address:

  • 12050075
  • admin
  • Anata
  • B4bb1cool
  • BabbyBear
  • BInaSarana
  • CoolMan
  • Davis
  • Emily
  • Fria
  • HackersMinds
  • HellSpawn
  • Jagung-Bakar
  • jojo
  • JuwitaNingrum
  • Lia
  • mansonisme
  • MooNLight
  • Rita
  • sasUK3
  • SaZZA
  • Shit
  • SpawN
  • Titta
  • Yoseph2000

Subject of the message is one of the following:

  • Tolong Aku..
  • Tolong
  • Registration Confirmation
  • Cek This
  • hello
  • RE:bla bla bla
  • RE:HeLLO GuYs

Body of the message may be one of the following:

hi please see this file hey Indonesian porn Tiara lestari pic's free screen saver romance for you Please Visit Our Web Site http://www.moonLight.com please read again what i have written to you thank's for you register your acount details are attached Aku Mencari Wanita yang aku Cintai dan cara menggunakan email mass ini adalah cara terakhirku ,di lampiran ini terdapat foto dan data Wanita tsb Thank's NB:Mohon di teruskan kesahabat anda aku mahasiswa Bsi Margonda smt 3 yah aku sedang membutuhkan pekerjaanoh ya aku tahu anda dr milis ilmu komputer di lampiran ini terdapat curriculum vittae dan foto saya

The attachment is a ZIP archive, containing an executable of the worm.


It may be password protected.


The password is included in message body.


Name of the attachment is one of the following:

  • curriculum vittae.zip
  • USE_RAR_To_Extract.ace
  • ZIPPED.zip
  • FILEATTACH.bz2
  • Doc.gz
  • file.bz2
  • thisfile.gz
  • TITTA'S Picture.jar
Spreading via P2P networks

The worm searches for various shared folders.


Only folders which contain one of the following string in their path are searched:

  • *download*
  • *upload*
  • *share*

These folders include shared folders of various instant messengers and P2P applications.


It tries to place a copy of itself into the folders.


Its filename may be one of the following:

  • TutoriaL HAcking %manyspaces% .exe
  • Lagu - Server %manyspaces% .scr
  • Data DosenKu %manyspaces%.exe
  • Titip Folder Jangan DiHapus %manyspaces%.exe
  • Love Song %manyspaces%.scr
  • New mp3 BaraT !! %manyspaces%.exe
  • THe Best Ungu %manyspaces%.scr
  • Blink 182 %manyspaces%.exe
  • Norman virus Control 5.18 %manyspaces%.exe
  • Windows Vista setup %manyspaces%.scr
  • Gallery %manyspaces%.scr
  • RaHasIA %manyspaces%.exe
Spreading on removable media

The worm copies itself into the root folders of removable drives using one of the following file names:

  • Data %username%.exe
  • Foto %username%.exe
  • New Folder(2).exe
  • New Folder.scr
  • %username% Porn.exe
  • %existingfoldername%.exe

The file(s) may have the System (S) and Hidden (H) attributes present in attempt to hide the file in Windows Explorer.

Information stealing

The worm is able to log keystrokes.


The worm attempts to send gathered information to a remote machine.

Other information

The worm terminates any program that creates a window containing any of the following strings in its name:

  • dengines
  • sensasi
  • bront
  • filewalker
  • OfficeSystem

The worm may delete the following files:

  • %altstartup%\­*.pif

The worm may terminate specific running processes.


The worm hides the windows of certain running applications.


The worm contains a list of (3) URLs.


It tries to download several files from the addresses.


The files are then executed. The HTTP protocol is used.


The worm may create the text file:

  • %windir%\­[TheMoonlight].txt

It contains the following text:

  • :: The NewMoonLight ::
  • Created by HeLLsPAwn A.K.A B4bb1cool
  • (c) 2006 Depok ~ Indonesia

Please enable Javascript to ensure correct displaying of this content and refresh this page.