MSIL/Lemidon [Threat Name] go to Threat

MSIL/Lemidon.A [Threat Variant Name]

Category worm
Size 133120 B
Detection created Apr 22, 2010
Detection database version 5049
Aliases W32.SillyIM (Symantec)
  Win32:Rootkit-gen (Avast)
Short description

MSIL/Lemidon.A is a worm that spreads via shared folders and removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­Silverlight.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Silverlight Application" = "%appdata%\­Silverlight.exe"

The worm creates the following file:

  • %appdata%\­MSNMessengerAPI.dll (57344 B)
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • autorun.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Spreading via shared folders

The worm tries to copy itself to the available shared network folders.


The following names of the shared network folders are used:

  • \­\­%remotecomputer%\­ADMIN$\­
  • \­\­%remotecomputer%\­C$\­
  • \­\­%remotecomputer%\­C$\­shared\­
  • \­\­%remotecomputer%\­D$\­
  • \­\­%remotecomputer%\­d$\­shared\­
  • \­\­%remotecomputer%\­e$\­
  • \­\­%remotecomputer%\­e$\­shared\­
  • \­\­%remotecomputer%\­IPC$\­
  • \­\­%remotecomputer%\­PRINT$\­

The following filename is used:

  • STARTME.EXE
Spreading via IM networks

MSIL/Lemidon.A is a worm that spreads via IM networks.


If Skype is installed on the infected system, the worm sends a message with a URL to all contacts.


The message contains a link to a file with the following name:

  • %appdata%\­Silverlight.exe
Spreading via P2P networks

MSIL/Lemidon.A is a worm that spreads via P2P networks.


The worm searches for shared folders of the following programs:

  • Bearshare
  • Edonkey 2000
  • Emule
  • Grokster
  • Icq
  • Kazaa
  • Limewire
  • Morpheus
  • Shareaza
  • Tesla
  • WinMX

When the worm finds a folder matching the search criteria, it creates a new copy of itself.


The following names are used:

  • %variable%

A string with variable content is used instead of %variable% .

Information stealing

The worm collects information related to the following applications:

  • FileZilla

The worm can send the information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.


The worm connects to the following addresses:

  • x.amadox.nl

The IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • spread via IM networks
  • spread via shared folders and P2P networks
  • remove itself from the infected computer
  • send gathered information

Please enable Javascript to ensure correct displaying of this content and refresh this page.