Likun is a Visual Basic Script worm, which disguises itself as a
tool that can speed up the user's computer.
Once executed the worm copies its code in a file xp32dll.vbs in the Windows
folder. Then it modifies the Windows registry to run during next restart.
After that the script opens Outlook application and attempts to send an
email message to all addresses found in Outlook's address book. It adds
these email addresses in the hidden Bcc area of the email message. The sent
email looks as follow:
Subject: New Tool !
Body: This tool can speed up your PC up to 15% !
Attachment: <the script file>
Due a bug in the worm code, the mass mailing does not work.
Finally Likun executes its payload: It searches for all mapped
and network drives and tries to delete all files from all found
folders and sub folders.
There are a few known variants of Likun worm. All they are
detected by F-Secure Anti-Virus as I-Worm.Likun as well as with
the heuristics.
[Analysis: Katrin Tocheva, F-Secure Corp.; November 5th, 2002]
![](/images/pixel.gif"){kind=tracking}
