Effects 

Lentin.M carries out the following actions:

• It terminates several processes corresponding to antivirus programs and firewalls, if they are active. These processes are:
  
  _AVP32, _AVPCC, _AVPM, ACKWIN32, ALERTSVC, AMON.EXE, ANTIVIR, TRACK, AVCONSOL, AVP.EXE, AVP32, AVPCC.EXE, AVPM.EXE, AVSYNMGR, CFINET, CFINET32, ESAFE.EXE, F-AGNT95, F-PROT95, FP-WIN, FRW.EXE, F-STOPW, IAMAPP, IAMSERV.EXE, ICMON, IOMON98, LOCKDOWN2000, LOCKDOWNADVANCED, LUALL, LUCOMSERVER, MCAFEE, N32SCANW, NAVAPSVC, NAVAPW32, NAVLU32, NAVRUNR, NAVW32, NAVWNT, NISSERV, NISUM, NMAIN, NOD32, NORTON, NPSSVC, NRESQ32, NSCHED32, NSCHEDNT, NSPLUGIN, NVC95, PCCIOMON, PCCMAIN, PCCWIN98, PCFWALLICON, POP3TRAP, PVIEW, PVIEW95, REGEDIT, RESCUE32, RMVTRJANSAFEWEB, SCAN32, SWEEP95, SYMPROXYSVC, TDS2-98, TDS2-NT, VET95, VETTRAY, VSECOMR, VSHWIN32, VSSTAT, WEBSCANX, WEBTRAP and ZONEALARM.
• It displays the following error message on screen when it is run:
  
  

  

Infection strategy 

Lentin.M creates the following files in the Windows system directory:

• WINSERVICES.EXE, NAV32_LOADER.EXE and TCPSVS32.EXE. These files are copies of the worm.

Lentin.M creates the following entries in the Windows Registry:

• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ Run
  WinServices = %sysdir%\ WinServices.exe
• HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunServices
  WinServices = %sysdir%\ WinServices.exe
  where %sysdir% is the Windows system directory.
  By creating these entries, Lentin.M ensures that it is run whenever Windows is started.

Lentin.M modifies the following entry of the Windows Registry:

• HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
  (Default) = "%1" %*
  
  It changes this entry to:
  
  HKEY_CLASSES_ROOT\ exefile\ shell\ open\ command
  (Default) = %sysdir%\ nav32_loader.exe “%1” %*
  
  By modifying this entry, Lentin.M activates whenever a file with an EXE extension is run.

Means of transmission 

Lentin.M spreads via e-mail. It follows the routine below:

• It reaches the computer in an e-mail message with the following characteristics:
  
  Sender: it is variable.
  For a list of the possible senders of the e-mail messages carrying Lentin.M, click here.
  
  Subject: it is variable.
  For a list of the possible subjects of the e-mail messages carrying Lentin.M, click here.
  
  Message: it is variable.
  For a list of the possible content of the e-mail messages carrying Lentin.M, click here.
  
  Attachments: it is variable.
  For a list of the possible names of the files carrying Lentin.M, click here.
• The computer is affected when the attached file is run.
• Lentin.M searches for e-mail addresses in files that contain the text ht or hotmail.
• Lentin.M sends out a copy of itself to all the addresses it has gathered, and to all the contacts in the Windows, MSN Messenger and Yahoo Pager Address Books. In order to do so, Lentin.M tries to use the default SMTP server address in the infected computer to send out the e-mail messages, but if it does not find the necessary information, it uses one of the many SMTP server addresses contained in its code.

Further Details  

Lentin.M is written in the programming language C++. This worm is 28,672 bytes in size when it is compressed with UPX, and 61,440 bytes once it is decompressed.