Mapson
Threat LevelDamageDistribution

Effects 

Mapson is a worm that does not have any destructive effects, which carries out the following actions on affected computers:

• It displays three messsages in Spanish:
  
  When it is run, it displays the following message:
  Error
  Archivo Parcialmente Corrupto remplazelo por uno nuevo
  
  In July this worm displays two windows with the following characteristics:
  - Title:
  Lorraine Worm [GEDZAC LABS 2003]
  - Text:
  Creado por Falckon/GEDZAC
  
  - Title:
  Lorraine Worm [GEDZAC LABS 2003]
  - Text:
  Dedicado a mi G. Lorena R. S.,http://www.vsantivirus.com/renalo.htm
• On the fourth of each month, Mapson opens the Internet browser and displays a web page containing information about the worm author.
• It creates multiple copies of itself on the computer.

Infection strategy 

Mapson creates the following files:

• LORRAINE.HTA in the root directory. This file is written in HTML and contains data on the worm author. Mapson runs this file on the fourth of every month.
• LORRAINE.VXD in the root directory.
• LORRAINE.EXE in the Windows System directory.
• It also creates multiple copies of itself in the system directory under the following names:
  AMIGOS.PIF
  AMIGOTOTOTE.PIF
  AMOR-POR-TI.PIF
  ANTIWINLOGON.PIF
  ANTROX.SCR
  BIGBROTHER.PIF
  BUGMSN.PIF
  CHISTESGRAFICOS.PIF
  CHUPAMELO.PIF
  COMOTEGUSTAN.PIF
  CRACKSPPZ.PIF
  CRISTINA-AGUILERA.PIF
  DATE: 6/7/2003 3:49 PM
  DEFACED-MADONNA-SITE.PIF
  EGGBROTHER.EXE
  EICAX.COM
  EXISTEEE.PIF
  FINANCIAMIENTO.PIF
  GEDZAC.PIF
  GRANCARNAL.EXE
  GRANDE.PIF
  HACKEAHOTMAIL.PIF
  HISTORIAL.PIF
  HOTMAIL.PIF
  KAMASUTRA.PIF
  LACOSHA@HOTMAIL.COM
  LATINCARD.PIF
  LINUXANDMICROSOFT.PIF
  LORENAAAA.PIF
  LORRAINE.EXE
  MADONNA_SEXY.PIF
  MARIAVIRGEN.PIF
  MATRIX-TRAILER.PIF
  MUJERES.PIF
  MÚSICA.PIF
  NO-SPAM.EXE
  NUEVOVIRUS.TXT.PIF
  ORADORES.PIF
  OSAMABINHUEVOBACK.EXE
  PAREJAIDEAL.TXT.PIF
  PETARDAS.PIF
  PORQUETEAMO.PIF
  PROJIMO.PIF
  RELACIONSEXUAL.PIF
  RESETARIOS.PIF
  SARS.PIF
  SEGURIDAD_EN_HOTMAIL.PIF
  SERHACKER.PIF
  SHAKIRA.PIF
  SIZE: 180.736 BYTES
  SOLO-A-TI.PIF
  SPAMNO.PIF
  TEAMO.EXE
  TE-PIDO.SCR
  TEST-IDIOTA.PIF
  TESTPASION.PIF
  THALIALOCA.PIF
  TUTORIALVBSVIRUS.PIF
  WINDOWSMEDIAPLAYERBUG.PIF
  WWW.MFERNANDA.COM
  WWW.VSANTIVIRU.COM
  WWW.ZONAVIRU.COM
  ZORROTTTAS.PIF

Mapson creates the following entry in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  Lorraine = Lorraine.exe
  By creating this entry, Mapson ensures that it is run whenever Windows is started.

Means of transmission 

Mapson spreads via e-mail and P2P (peer to peer) file sharing programs.

1- Transmission via e-mail.

Mapson follows the routine below:

• When it is run, it checks if the instant messaging program MSN Messenger is installed.
• If it is, it sends a copy of itself to all of the addresses in the Contact List via e-mail.
• The subjects and texts of the messages are in Spanish and refer to a wide range of topics including security flaws in commonly used applications, virus alerts, movie trailers, etc.

Examples of the message it uses to spread include the following:

• Version 1:
  Sender:
  bigbrother@bigbrother.tv
  Subject:
  Big Brother te espera
  Message:
  Felicidades! le hemos enviado este E-Mail porque usted ha ganado un pasaje a México al programa Reality show BigBrother,si usted quiere participar en este programa deberá abrir el archivo Attachments.
  Attachments:
  BIGBROTHER.PIF
• Version 2:
  Sender:
  support@hotmail.com
  Subject:
  Su cuenta de hotmail sera eliminada
  Message:
  Estimado usuario de hotmail,debido al trafico en el servidor y a las fallas que se han venido presentando en este presente mes,hemos de informarle que su cuenta será removida de nuestra base de datos en menos de 24 horas, le rogamos por favor lea el Attachments con los pasos para evitar que esto suceda. Atentamente el Equipo tecnico de Hotmail.
  Attachments:
  HOTMAIL.PIF
• Version 3:
  Sender:
  support@passport.com
  Subject:
  10 reglas de seguridad para su cuenta de hotmail 
  Message:
  Amable Usuario de hotmail, la razón de este mail es para darle a conocer las 10 reglas de seguridad que un usuario de passport debe tener en cuenta para evitar que su cuenta sea borrada, hackeada etc...las reglas están en el Attachments.Atentamente equipo tecnico de passport
  Attachments:
  SEGURIDAD_EN_HOTMAIL.PIF

To see the characteristics of all of the messages Mapson uses to spread, click here.

2- Transmission through P2P file sharing programs.

Mapson follows the routine below:

• It creates 362 copies of itself in the shared directories of these programs (KaZaA, KaZaA Lite, eDonkey2000, Gnucleus, Limewire, Morpheus, Grokster or ICQ). To be more precise, it copies itself in the following directories:
  %ProgramFilesDir%\KaZaA\My Shared Folder\
  %ProgramFilesDir%\edonkey2000\incoming\
  %ProgramFilesDir%\gnucleus\downloads\
  %ProgramFilesDir%\icq\shared files\
  %ProgramFilesDir%\kazaa lite\my shared folders\
  %ProgramFilesDir%\limewire\shared\
  %ProgramFilesDir%\morpheus\my shared folder\
  %ProgramFilesDir%\Grokster\My Grokster\
  For a list of the names of the files it creates in these directories, click here.

• Other users of these programs can access these shared directories. These users can then download these files to their computers, thinking that they are useful computer programs, movies, etc. However, these users will actually download a copy of the worm.
• When the downloaded file is run, these computers will be infected by Mapson.

Further Details  

Mapson is written in the programming language Delphi. The worm is 180,736 bytes in size and is compressed with UPX.