- Threat Encyclopedia
- Malware
- WORM_LAMIN.AC
W32.IRCBot, Worm:Win32/Lamin.A
Windows 2000, Windows XP, Windows Server 2003
Propagates via instant messaging applications
Trend Micro has received multiple infections similar to this threat from multiple, independent sources, including customer reports and internal sources. These indicate that this threat poses a high risk to users due to the increased possibility of infection.
To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.
This worm opens Microsoft Word in order to hide its malicious routines from the user. It creates registry entries to prevent execution of specific applications, as well as the various functions of the Windows Security Center. It also modifies registry entries to lower the security settings of the system, as well as delete other entries to disable Safe Mode.
For its backdoor routine, this worm is capable of joining a predetermined Internet Relay chat (IRC) channel where it can receive commands from a malicious user.
This worm adds registry entries to enable its automatic execution at every system startup.
It modifies certain registry entries to disable Security Center functions. Doing this allows this malware to execute its routines without being detected.
This worm modifies certain registry entries to disable Security Center functions. Doing this allows this malware to execute its routines without being detected.
743,425 bytes
PE
Yes
24 Apr 2010
Compromises system security, Disables services, Disables Safe Boot
Arrival Details
This worm may be downloaded from the following remote sites:
Installation
This worm drops the following component file(s):
(Note: %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)
It drops the following copies of itself into the affected system:
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows NT\CurrentVersion\Winlogon
Shell = %Program Files%\Microsoft Office\OFFICE11\WINWORD.EXE
Other System Modifications
This worm adds the following registry entries as part of its installation routine:
HKEY_CLASSES_ROOT\exefile
NeverShowExt =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
AntiVirusOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirewallOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
FirstRunDisabled = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UpdatesDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center
UacDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
AntiVirusOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirewallOverride = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
FirstRunDisabled = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UpdatesDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Security Center\Svc
UacDisableNotify = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG
EnableFileTracing = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG
EnableConsoleTracing = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG
FileTracingMask = ffff0000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG
ConsoleTracingMask = ffff0000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG
MaxFileSize = 00100000
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Tracing\FWCFG
FileDirectory = %windir%\tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\policies\
system
EnableLUA = 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinDefend
Start = 4
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\WinDefend
Type = 4
It modifies the following registry entries to disable Security Center functions:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Type = 4
(Note: The default value data of the said registry entry is 20.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = 4
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Type = 4
(Note: The default value data of the said registry entry is 20.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wscsvc
Start = 4
(Note: The default value data of the said registry entry is 2.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Type = 4
(Note: The default value data of the said registry entry is 20.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\wuauserv
Start = 4
(Note: The default value data of the said registry entry is 2.)
It modifies the following registry entries to hide files with Hidden attributes:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
SuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = 0
(Note: The default value data of the said registry entry is 1.)
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\SafeBoot
Propagation
This worm sends copies of itself to target recipients using the following instant-messaging (IM) applications:
Other Details
This worm does the following:
8.900
7.124.01
24 Apr 2010
7.125.00
24 Apr 2010
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Identify and terminate files detected as WORM_LAMIN.AC
Step 3
Enable Registry Editor
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 5
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 6
Restore this modified registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
Step 7
Search and delete this file
Step 8
Scan your computer with your Trend Micro product to delete files detected as WORM_LAMIN.AC. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.