You're in: Panda Security > IT Security for Business > security-info > about-malware > encyclopedia > overview

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Lentin.E
Threat LevelDamageDistribution

At a glance Tech details Solution

Effects

Lentin.E has the following effects:

Lentin.E activates every time a file with an EXE extension is run.
It ends several processes, if they are active in the affected computer. These processes belongs to antivirus programs and firewalls, among others:
PCCIOMON, PCCMAIN, POP3TRAP, WEBTRAP, AVCONSOL, AVSYNMGR, VSHWIN32, VSSTAT, NAVAPW32, NAVW32, NMAIN, LUALL, LUCOMSERVER, IAMAPP, ATRACK, NISSERV, RESCUE32, SYMPROXYSVC, NISUM, NAVAPSVC, NAVLU32, NAVRUNR, NAVWNT, PVIEW95, F-STOPW, F-PROT95, PCCWIN98, IOMON98, FP-WIN, NVC95, NORTON, MCAFEE, ANTIVIR, WEBSCANX, SAFEWEB, ICMON, CFINET, CFINET32, AVP.EXE, LOCKDOWN2000, AVP32, ZONEALARM, WINK, SIRC32, SCAM32

Infection strategy

Lentin.E creates the following files:

%XXXX%.TXT, a text file with a name made up of four random characters, which is created in the Windows directory. The content of this file is as follows:
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
iNDian sNakes pResents yAha.E
iNDian hACkers,Vxers c0me & w0Rk wITh uS & fUCk tHE GFORCE-pAK shites
bY
sNAkeeYes,c0Bra
<<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>> <<<>>>
KITKAT is a file in MIME format, which is created in the Windows temporary directory.
%XXXX%.EXE contains the worm's code and can be created in one of the following directories, depending on the configuration of the affected system: RECYCLER, RECYCLED, or in the Windows directory.
%xxxx%% xxxx %.dl is created in the Windows directory. Lentin.E uses this file to store the e-mail addresses to which it sends itself. It obtains these addresses from the Windows Address Book and the following applications: Microsoft Messenger, Yahoo Pager and ICQ.

Lentin.E modifies the following entry in the Windows Registry:

HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
(Default) = "%1" %*
Lentin.E modifies it by assigning one of three possible values, depending on the system configuration:
(Default) = %Recycled%\%xxxx% "%1" %*
(Default) = %Recycler%\%xxxx% "%1" %*
(Default) = %windir%\%xxxx% "%1" %*
where %windir% is the Windows directory.
By modifying this entry, Lentin.E ensures that it is run every time a file with an EXE extension is run in the affected computer.

Means of transmission

Lentin.E spreads mainly via e-mail in the following way:

Lentin.E reaches computers hidden in an e-mail message with a variable subject and message and one of the following attachments:
LOVELETTER
RESUME
BIODATA
DAILYREPORT
MOUNTAN
GOLDFISH
WEEKLYREPORT
REPORT
LOVE
The attachment has two extensions, the first of which could be MP3, XLS, WAV, TXT, JPG, GIF, DAT, BMP, HTM, MPG or MDB, and the second COM, PIF or BAT.
Lentin.E runs automatically when the message carrying the worm is viewed through the Preview Pane or opened. This happens in systems in which Internet Explorer has not been updated. In other systems, Lentin.E will be run when the attached file is opened.
Lentin.E sends itself out to every entry in the Outlook Address Book.

Lentin.E creates a false address which appears as the sender of the e-mail message. This action can cause confusion. For more information, click here.

Further Details

Lentin.E is written in the programming language Visual C++. The worm is around 28 Kbytes in size.

Resources for Partners