SHARE
THIS ON

Facebook Twitter Google Plus

Win32.P2P.Lorrin.A@mm

HIGH
LOW
180736 bytes (packed with UPX 1.24)
(I-Worm.Mapson (KAV), W32/Mapson-A (Sophos))

Symptoms

  • Presence of one or more of the next files in Windows System folder (%SYSTEM%, e.g. C: \Windows\System32 for a Windows 9x/XP):

    amigos.pif
    amigototote.pif
    amor-por-ti.pif
    antiwinlogon.pif
    antrox.scr
    BigBrother.pif
    bugmsn.pif
    chistesgraficos.pif
    chupamelo.pif
    comotegustan.pif
    CracksPPZ.pif
    cristina-aguilera.pif
    defaced-madonna-site.pif
    eggbrother.exe
    EICAX.COM
    existeee.pif
    financiamiento.pif
    GEDZAC.PIF
    grancarnal.exe
    grande.pif
    hackeahotmail.pif
    historial.pif
    hotmail.pif
    kamasutra.pif
    lacosha@hotmail.com
    LatinCard.pif
    linuxandmicrosoft.pif
    Lorenaaaa.pif
    Madonna_sEXY.pif
    MariaVirgen.pif
    Matrix-Trailer.pif
    mujeres.pif
    Musica.pif
    No-Spam.exe
    nuevovirus.txt.pif
    Oradores.pif
    osamabinhuevoback.exe
    parejaideal.txt.pif
    petardas.pif
    porqueteamo.pif
    projimo.pif
    relacionsexual.pif
    resetarios.pif
    SARS.pif
    seguridad_en_hotmail.pif
    serhacker.pif
    Shakira.pif
    solo-a-ti.pif
    Spamno.pif
    teamo.exe
    te-pido.scr
    test-idiota.pif
    testpasion.pif
    thalialoca.pif
    TutorialVBSvirus.pif
    WindowsMediaPlayerBug.pif
    www.mfernanda.com
    www.vsantiviru.com
    www.zonaviru.com
    zorrotttas.pif

    These file names are also used for attachments when spreading via mail.

    • Presence of one of the names mentioned above in the process list (visible in Task Manager).

  • Presence of registry key:
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lorraine = %SYSTEM%\Lorraine.exe]

    • Removal instructions:

    BitDefender can disinfect or delete automatically the files infected by this particular virus. The modified registry entries should be corrected manually.

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Make the following changes in the windows registry:

      Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.

      1. Select Run... from Start, then type regedit and press Enter;

      2. Delete the following key:
        [HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Lorraine = %SYSTEM%\Lorraine.exe]

    4. Reboot the computer

    5. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.P2P.Lorrin.A@mm.

    Analyzed By

    Ciubotariu Mircea<br /> BitDefender Virus Researcher

    Technical Description:

    The worm spreads itself via email, attached as mentioned before and also by sharing itself through the most common P2P programs as follows:

    eDonkey 2000
    Gnucleus
    ICQ
    KaZaA
    LimeWire
    Morpheus
    Grokster

    It copies itself in listed below folders:

    \edonkey2000\incoming\
    \gnucleus\downloads\
    \icq\shared files\
    \KaZaA\My Shared Folder\
    \kazaa lite\my shared folders\
    \limewire\shared\
    \morpheus\my shared folder\
    \Grokster\My Grokster\

    with different combinations of the following names (all names generated end with .EXE):

    Desnuda en la playa
    las pelotas de
    Nude Pic
    Sexo en la playa con
    Sexy Beach
    Sexy Bikini
    Alejandra Guzman
    Angelica Vale
    Brenda
    Britney Spears
    Cameron dias
    Celine Dion
    Francini
    Galilea Montijo
    Halle berry
    Kylie Minogue
    Laura Pausini
    Lili Brillanti
    Lorena
    Paulina Rubio
    Pink
    Shakira
    Thalia
    Ad-aware
    Adobe Acrobat Reader (32-bit)
    AOL Instant Messenger (AIM)
    Biromsoft WebCam
    Copernic Agent
    Delphi 6
    Diet Kaza
    DirectDVD
    DivX Video Bundle
    Download Accelerator Plus
    FireWorks 4
    FIreWorks MX
    Global DiVX Player
    Grokster
    ICQ Lite
    ICQ Pro 2003a beta
    iMesh
    JetAudio Basic
    Kaspersky Antivirus
    Kazaa Download Accelerator
    Kazaa Media Desktop
    Matrix Movie
    McAfee Antivirus
    Microsoft Internet Explorer
    Microsoft Office XP
    Microsoft Windows Media Player
    Microsoft Windows 2003
    Morpheus
    msn hack
    MSN Messenger (Windows NT/2000)
    Nero Burning ROM
    NetPumper
    Network Cable e ADSL Speed
    Norton Antivirus
    Office 2003
    Panda Antivirus
    PerAntivirus
    Pop-Up Stopper
    QuickTime
    RealOne Free Player
    Registry Mechanic
    SnagIt
    SolSuite 2003: Solitaire Card Games Suite
    Spybot - Search & Destroy
    Trillian
    Virtual Girl Sofia
    Visual Studio Net
    Winamp
    WinMX
    WinRAR
    WinZip
    WS_FTP LE (32-bit)
    XoloX Ultra
    ZoneAlarm
    crack all versions
    Cracked
    Full version
    KeyGen

    The mail addresses are collected from the MSN Messenger contact list.

    As a payload the malware displays two message boxes in july containing information about the author and the worm.
    Antivirus Software For Home Users
    Business Security Solutions
    Latest News
    Tools & Resources