Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

MSIL/Lemidon.A

Aliases:W32.SillyIM (Symantec), Win32:Rootkit-gen (Avast) 
Type of infiltration:Worm  
Size:133120 B 
Affected platforms:Microsoft Windows 
Signature database version:5049 (20100422) 

Short description

MSIL/Lemidon.A is a worm that spreads via shared folders and removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:
  • %appdata%Silverlight.exe
In order to be executed on every system start, the worm sets the following Registry entry:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "Silverlight Application" = "%appdata%Silverlight.exe"
The worm creates the following file:
  • %appdata%MSNMessengerAPI.dll (57344 B)

Spreading on removable media

The worm copies itself into the root folders of removable drives using the following filename:
  • autorun.exe
The following file is dropped in the same folder:
  • autorun.inf
Thus, the worm ensures it is started each time infected media is inserted into the computer.

Spreading via shared folders

The worm tries to copy itself to the available shared network folders.

The following names of the shared network folders are used:
  • \%remotecomputer%ADMIN$
  • \%remotecomputer%C$
  • \%remotecomputer%C$shared
  • \%remotecomputer%D$
  • \%remotecomputer%d$shared
  • \%remotecomputer%e$
  • \%remotecomputer%ADMIN$
  • \%remotecomputer%C$
  • \%remotecomputer%C$shared
  • \%remotecomputer%D$
  • \%remotecomputer%d$shared
  • \%remotecomputer%e$
  • \%remotecomputer%e$shared
  • \%remotecomputer%IPC$
  • \%remotecomputer%PRINT$
The following filename is used:
  • STARTME.EXE

Spreading via IM networks

MSIL/Lemidon.A is a worm that spreads via IM networks.

If Skype is installed on the infected system the worm sends a message containing an URL to all contacts.

The message contains a link to a file with the following name:
  • %appdata%Silverlight.exe

Spreading via P2P networks

MSIL/Lemidon.A is a worm that spreads via P2P networks.

The worm searches for shared folders of the following programs:
  • Bearshare
  • Edonkey 2000
  • Emule
  • Grokster
  • Icq
  • Kazaa
  • Bearshare
  • Edonkey 2000
  • Emule
  • Grokster
  • Icq
  • Kazaa
  • Limewire
  • Morpheus
  • Shareaza
  • Tesla
  • WinMX
When the worm finds a folder matching the search criteria, it creates a new copy of itself.

The following filenames are used:
  • %variable%
A string with variable content is used instead of %variable%.

Information stealing

The worm collects information related to the following applications:
  • FileZilla
The worm can send the information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:
  • x.amadox.nl
The IRC protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • spread via IM networks
  • spread via shared folders and P2P networks
  • remove itself from the infected computer
  • download files from a remote computer and/or the Internet
  • run executable files
  • perform DoS/DDoS attacks
  • spread via IM networks
  • spread via shared folders and P2P networks
  • remove itself from the infected computer
  • send gathered information