Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Lentin.K

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Lentin.K ends the following processes belonging to antivirus and firewall programs if they are active:

_AVP32, _AVPCC, _AVPM, ACKWIN32, ALERTSVC, AMON.EXE, ANTIVIR, TRACK, AVCONSOL, AVP.EXE, AVP32, AVPCC.EXE, AVPM.EXE, AVSYNMGR, CFINET, CFINET32, ESAFE.EXE, F-AGNT95, F-PROT95, FP-WIN, FRW.EXE, F-STOPW, IAMAPP, IAMSERV.EXE, ICMON, IOMON98, LOCKDOWN2000, LOCKDOWNADVANCED, LUALL, LUCOMSERVER, MCAFEE, N32SCANW, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NISSERV, NISUM, NMAIN, NOD32, NORTON, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, NVC95, PCCIOMON, PCCMAIN, PCCWIN98, PCFWALLICON, POP3TRAP, PVIEW, PVIEW95, REGEDIT, RESCUE32, RMVTRJANSAFEWEB, SCAN32, SWEEP95, SYMPROXYSVC, TDS2-98, TDS2-NT, VET95, VETTRAY, VSECOMR, VSHWIN32, VSSTAT, WEBSCANX, WEBTRAP, ZONEALARM.

Infection strategy 

Lentin.K creates the following files in the Windows system directory:

  • WINSERVICES.EXE, NAV32_LOADER.EXE and TCPSVS32.EXE, that contain the worm's code.
  • WINLOADER32.DLL. This file is a DLL (Dynmaic Link Library) that will only be created in computers with Windows XP/2000/NT operating systems.
Lentin.K also creates copies of itself in the Windows system directory under names selected at random from the following list:
  • BE_HAPPY.SCR
  • BEST_FRIEND.SCR
  • COLOUR_OF_LIFE.SCR
  • DANCE.SCR
  • FRIEND_FINDER.EXE
  • FRIEND_HAPPY.SCR
  • FRIENDSHIP.SCR
  • FRIENDSHIP_FUNNY.SCR
  • FUNNY.SCR
  • GC_MESSENGER.EXE
  • HOTMAIL_HACK.EXE
  • I_LIKE_YOU.SCR
  • LIFE.SCR
  • LOVE.SCR
  • SHAKE.SCR
  • SWEET.SCR
  • TRUE_LOVE.SCR
  • WORLD_OF_FRIENDSHIP.SCR

Lentin.K creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
    WinServices.exe = %sysdir%\ WinServices.exe
    where %sysdir% is the Windows system directory.
  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices WinServices.exe = %sysdir%\ WinServices.exe
    By creating this entry, Lentin.K ensures it is run whenever Windows is started.

Lentin.K modifies the following entry in the Windows Registry:

  • HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
    (Default) = "%1"%*
    Lentin.K changes the value (Default) = "%1"%* for nav32_loader.exe""%1"%* thus leaving the netry as follows:
    HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
    nav32_loader.exe""%1"%*
    By doing so, Lentin.K configures itself every time a file with an EXE extension is run.

Means of transmission 

Lentin.K mainly spreads via e-mail. In order to do so, it follows the routine below:

  • It reaches the computer in a message with variable characteristics:

    Sender: any of the following, among others:
    Klein Anderson
    Codeproject
    SQL Library
    me2K
    Rocking Stone
    Super Soccer
    Sexy Screensavers
    Real Inc.
    Plus 6
    Plus 2
    For a complete list of the possible senders, click here.

    Subject: any of the following, among others:
    Are you a Soccer Fan ?
    Are you beautiful
    Are you in Love
    Are you looking for Love
    Are you the BEST
    Check it out
    Check this shit
    Check ur friends Circle
    Demo KOF 2002
    Feel the fragrance of Love
    For a complete list of the possible Subjects, click here.

    Message: any of the following, among others:
    hey, did u always dreamnt of hacking ur friends hotmail account..
    finally i got a hotmail hack from the internet that really works..
    ur my best friend thats why sending to u..
    check it..just run it..enter victim's address and u will get the pass.

    hi,
    check the attached love screensaver
    and feel the fragrance of true love..

    Hi,
    check the attached screensaver..
    its really wonderfool..
    i got it from freescreensavers.com
    For a complete list of the possible Messages, click here.

    Attachments: any of the following:
    BE_HAPPY.SCR, BEAUTIFULL.SCR, BEST_FRIEND.SCR, BODY_BUILDING.SCR, BRITNEY_SAMPLE.SCR, CODEPROJECT.SCR, COLOUR_OF_LIFE.SCR, CUPID.SCR, DANCE.SCR, FIXELKERN.COM, FIXKLEZ.COM, FREAKOUT.EXE, FRIEND_FINDER_EXE, FRIEND_HAPPY.SCR, FRIENDSHIP.SCR, FRIENDSHIP_FUNNY.SCR, FUNNY.SCR, GC_MESSENGER_EXE, HACKER.SCR, HACKER_THE_LOVESTORY.SCR, HARDCORE4FREE.SCR, HOTMAIL_HACK_EXE.SCR, I_LIKE_YOU.SCR, I_LOVE_YOU.SCR, JENNA_JEMSON.SCR, KING_OF_FIGTHERS.EXE, KOF.EXE, KOF_DEMO.EXE, KOF_FIGHTING.EXE, KOF_SAMPLE.EXE, KOF_THE_GAME.EXE, KOF2002.EXE, LIFE.SCR, LOVE.SCR, MY_SEXY_PIC.SCR, MYPIC.SCR, MYPROFILE.SCR, NOTES.EXE, PEACE.SCR, PLAYBOY.SCR, PLUS2.SCR, PLUS6.SCR, PROJECT.EXE, RAVS.SCR, REAL.SCR, ROMANTIC.SCR, ROMEO_JULIET.SCR, SCREENSAVERS.SCR, SERVICES.SCR, SEX.SCRSOCCER.SCR, SEXY_JENNA.SCR, SHAKE.SCR, SQL_4_FREE.SCR, STONE.SCR, SWEET.SCR, SWEETHEART.SCR, THE_BEST.SCR, THEROCK.SCR, TRUE_LOVE.SCR, UP_LIFE.SCR, VALENTINES_DAY.SCR, VXER_THE_LOVESTORY.SCR, WAYS_TO_EARN_MONEY.EXE, WORLD_OF_FRIENDSHIP.SCR, WORLD_TOUR.SCR, XXX4FREE.SCR, ZDENKA.SCR and ZXXX_BROWSER.EXE
  • The computer will be affected when the attached file is run.
  • It searches for e-mail addresses in files with an HTM extension.
  • Lentin.K sends itself out to all the addresses it has gathered and to all the contacts in the Windows, MSN Messenger, .NET Messenger and Yahoo Pager Address Books using its own SMTP. (Lentin.K tries to use the default SMTP in the affected computer to send out the e-mail messages, but it does not find the necessary information, it uses one of the many SMTP that its code contains).

Further Details  

Lentin.K is written in the programming language C++. The worm is 34,304 bytes in size and it is compressed with UPX.