Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Lentin.L

 
Threat LevelModerate threatDamageHighDistributionNot widespread

Effects 

Lentin.L terminates several processes corresponding to antivirus programs and Firewalls in affected computers, if they are active. The processes are:

_AVP32, _AVPCC, _AVPM, ACKWIN32, ALERTSVC, AMON.EXE, ANTIVIR, TRACK, AVCONSOL, AVP.EXE, AVP32, AVPCC.EXE, AVPM.EXE, AVSYNMGR, CFINET, CFINET32, ESAFE.EXE, F-AGNT95, F-PROT95, FP-WIN, FRW.EXE, F-STOPW, IAMAPP, IAMSERV.EXE, ICMON, IOMON98, LOCKDOWN2000, LOCKDOWNADVANCED, LUALL, LUCOMSERVER, MCAFEE, N32SCANW, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NISSERV, NISUM, NMAIN, NOD32, NORTON, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, NVC95, PCCIOMON, PCCMAIN, PCCWIN98, PCFWALLICON, POP3TRAP, PVIEW, PVIEW95, REGEDIT, RESCUE32, RMVTRJANSAFEWEB, SCAN32, SWEEP95, SYMPROXYSVC, TDS2-98, TDS2-NT, VET95, VETTRAY, VSECOMR, VSHWIN32, VSSTAT, WEBSCANX, WEBTRAP, ZONEALARM.

Infection strategy 

Lentin.L creates the following files in the Windows system directory:

  • WINSERVICES.EXE, NAV32_LOADER.EXE and TCPSVS32.EXE, that contain the worm’s code.
  • WINLOADER32.DLL, which will only be created in computers with Windows XP/2000/NT operative systems.
Lentin.L also creates copies of itself in the Windows system directory under names selected at random from the following list:
  • BE_HAPPY.SCR
  • BEST_FRIEND.SCR
  • COLOUR_OF_LIFE.SCR
  • DANCE.SCR
  • FRIEND_FINDER.EXE
  • FRIEND_HAPPY.SCR
  • FRIENDSHIP.SCR
  • FRIENDSHIP_FUNNY.SCR
  • FUNNY.SCR
  • GC_MESSENGER.EXE
  • HOTMAIL_HACK.EXE
  • I_LIKE_YOU.SCR
  • LIFE.SCR
  • LOVE.SCR
  • SHAKE.SCR
  • SWEET.SCR
  • TRUE_LOVE.SCR
  • WORLD_OF_FRIENDSHIP.SCR

Lentin.L creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run WinServices.exe C:\ %System%\ WinServices.exe
  • HKEY_LOCAL_MACHINE\ Software\Microsoft\ Windows\ CurrentVersion\ RunServices WinServices.exe C:\ %System%\ WinServices.exe With this entry, Lentin.L ensures that it is run every time Windows is started.
  • HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command The following value is applied to this entry:  nav32_loader.exe""%1"%*. By doing this, Lentin.L configures itself every time a file with an  EXE  extension is run.

Means of transmission 

Lentin.L mainly uses e-mail to spread. Lentin.L reaches computers hidden in an e-mail message with variable characteristics:

  • Subject: Variable. For a list of the possible subjects of the e-mail messages carrying Lentin.L, click here.
  • Message: Variable. For a list of the possible content of the e-mail messages carrying Lentin.L, click here.
  • Attachments: Variable. For a list of the possible names of the files carrying Lentin.L, click here.
  • Sender: Variable. For a list of the possible senders of the e-mail messages carrying Lentin.L, click here.

Lentin.L uses it own SMTP  engine to send infected e-mail messages to all the contacts in the Windows, MSN Messenger, .NET Messenger and Yahoo Pager Address Books, and the addresses it finds in the files with an HTM extension.

Lentin.L tries to use the default SMTP server address in the infected computer to send out the e-mail messages, but if it does not find the necessary information, it uses one of the many SMTP server addresses contained in its code.

Further Details  

Lentin.L is written in the programming language C++. The file that carries out the infection is compressed with UPX and is 34,304  bytes in size.