Email-Worm.Win32.Lentin

Email-Worm.Win32.Lentin


Hello everyone, and whoa, it’s time for a new video. Today we’re taking a look at the Lentin e-mail worm, I actually have two variants here, as they do slightly different things. But, in the end they’re by the same author, and wind up doing mostly the same stuff. So, before we go ahead and look at this, I just wanna prove that programs do indeed work on this computer. (clicking) So we have AIM installed, as you can see it comes up normally and works. (more clicking) We can also run stuff like regedit…(typing) Ignore these, uh, the graphical problems, they started popping up whenever I resize the Virtual Machine window. (clicking) But, whatever, and Task Manager works, all the stuff works. So, first of all run this D variant, and this is the C variant, and this is D… (clicking) go ahead and run it… and this worm arrives in an email message pretending to be a screensaver, hence the .scr extension. And, appropriately enough, it acts like a screensaver. “I like U very much, True Love never ends” printed in different lines and angles across the screen, in different colors… And everytime it changes the message it shakes things up a little bit and shakes your desktop. And, like a real screensaver when you move your mouse it goes away…(clicking) Still got a little artifacting here but that’s alright. We run AIM, and we notice that this screensaver program runs with it, that’s kinda weird. (clicking) And unfortunately, we cannot see the emails it sends, as it doesn’t do it in a way a user can see it. (clicking) But, we notice this with any program we try to run. Explorer, we get this screensaver pop up. Notepad… They all run, but we still get this message that the program has crashed. However, the C variant is a little more insidious, we’ll go ahead and run this… And, it doesn’t appear to have done anything but now… (error sound) All of our programs no longer work! “aim.exe, The specified path does not exist.” What it does, it just doesn’t work, (error sound) the AIM installer doesn’t work, the other version of the worm of course still works, that’s good. Let’s see, if we rename this to “lentin.scr”, let’s see if we can change things a little bit… (typing) Maybe that will let it run? (typing) (Windows prompt sound) That should- Oh hey, it works! Okay, so I guess the way the worm blocks programs from running is that it prevents anything not named with a .scr extension from running, that’s kinda weird. It doesn’t seem to be actually launching though (error sounds) and we can’t get rid of it. But anyway, all of our other programs do not work. (error sound) Task Manager, regedit, Notepad… just all blocked. The worm sits in memory and doesn’t allow these programs to run. It also does this in Safe Mode which makes it pretty difficult to actually remove. (clicking) And finally this C variant drops a randomly named text file in the Windows directory, and in this case it has no name at all, let’s see… “Origin: India, Dedicated to: All the Stupid SW Prof’s that thinks they are the Masters…” “LOL, Still I am not a SW Prof… Anybody want my service?Sent a mail. Confident in MFC, W32API, C, VC++…” “TO AV’S: Who the hell named my Valentine worm to yaha? Stupid AVs, they don’t know what my worm is doing…lol lol lol lol lol lol.” Good message. There should be another one in here that’s randomly named… here we go, huodu. Same message, alright. I swear it was it was printing a different message before… There we go! “I like Klez, Sircam, But I hate the bullshit payloads. Is I am a good coder?? Still I have doubt huhh!!!” “Beware Indian Hackers… Tomarrow is ours!!!” So you better watch out, because he means business. And other than completely blocking your computer’s functionality, Lentin really doesn’t do much else. I’m sorry again that I can’t show you the emails, but they’re the standard kind of spammy, Engrishy emails you would expect to contain a virus or a worm, which in this case it does. And that’s really about it for the Lentin worm. Thank you for watching, and I will have some videos coming up in the near future discussing the future of this channel and what direction I wanna take it. In particular, I’m thinking about a new sort of series of videos focusing on user-made and submitted viruses and malware. Uh, if that’s something you wanna see, like leave me a comment or wait for those videos. There will be polls with them, and you can vote and stuff. It’ll be all fancy, but I just really want to determine where to go with this channel and what you guys want to see on this channel. Thank you for watching, that is about it for the Lentin worm, and take care.

100 comments

  1. This email worm stops files from launching, but the worm sits in memory, but you can't run programs like : regedit, taskmgr, explorer.exe, notepad, iexplore.exe.

  2. I miss my old Windows XP Professional. I have to install Windows 7 because the internet isn't working so well in the old system. I don't know why, but i really love the Win XP Error Sound. xD

  3. I just saw the date when this uploaded. And then the operating system. Windows XP + Lentin + Over April 8, 2014 = NO|NO

  4. C:/YOUTUBE/VIDEO.MP4
    File Does Not Exist
    C:/YOUTUBE/GOODVIDEOS.ZIP
    File does Not Exist
    Shutdown.exe missing
    Power.exe missing

  5. By any chance is the author the same one or related to the person who made the Sevgi trojan? The icons are the same for both this and Sevgi (a heart). I don't know if the heart is a generic icon though so correct me if I'm wrong.

  6. C:YOUTUBEDESCRIPTION.EXE
    The specified path does not exist.

    Check the path, and then try again.

    OK
    XD I GET IT NOW

  7. i'd say avoid playing with user malware because it's like when a talk show host goes to the phones because he's run out of content. unless it's funny or so interesting you can't keep it to yourself. instead, test ways of fucking up windows 7 and beyond with things you can download. i'd love to see someone competent explore the deep web too.

  8. scr = exe

    Oh no…I just got an awful thought about these screensaver download sites from back in the day.

  9. If anyone doesn't understand the "yaha" message, this virus was originally named the "Yaha" worm, and it's most likely that this is a variant.

  10. Come on, dan, who stores YT at C drive? That's hella dangerous, you could get a virus in it! You need a hard drive specially for YT.

  11. C:/YOUTUBE/USER10001/NYANCATBOY789/COMMENTS/COMMENT.EXE
    Specified file could not be found.
    edit C:/YOUTUBE/Permissions
    Nope.
    mkdir %random%
    1029
    tskill "Type.exe"

    Ok…

  12. YOUTUBE Text Editor
    ———————————————————————————————————
    [Insert a comment with rythm here]

  13. Someone has to make a snake virus where if you execute it you will play snake on your desktop but every fruit the snake eats is a piece of data (some system files, bootmgr.exe, etc.) that gets deleted. However, if you die, your pc will restart and format your drive on startup so your pc won't start up again.

  14. Why is the smiley icon so common (especially in your videos–btw i am a subscriber to you on my personal account so i watch a lot of your vids)

    -dragonitewolf223 from the Dragonite Wolves

  15. C:YOUTUBEDESCRIPTION.TXT
    specified path does not exist.

    Check the path, and then try again.OKAFTER CLICKING OK:cyoutubeopendescription.exe have status code -6S7S7D627. and system needs to restart. If you want to prevent this errors, try unistall application or check is valid win32 file.

  16. X=Msgbox("C:YOUTUBEDESCRIPTION.EXE The specified path does not exist. Check the path, and then try again.",1+48,"YouTube.exe")

  17. C:YOUTUBECOMMENT.TXT
    The specified path does not exist.

    Check the path, and then try again.

    OK

  18. The first letter is the 4th letter in left-to-right alphabet.
    The second letter is before the first letter by 3.
    The third letter is the 3rd letter in the name Dan.
    The fourth letter is a round letter in the alphabet, but not a symbol.
    The fifth letter is the third-to-last letter in the sentence before this one, including the period.
    The sixth letter is the answer to the sentence before, but with a tiny bit removed.
    The seventh letter is the 7th letter in reverse alphabet.
    The eighth letter is the first number from right-to-left on your keyboard.

Leave a Reply

Your email address will not be published. Required fields are marked *