F-Secure Virus Descriptions : Lilac
The Lilac worm first appeared on 8th of July 2002. The worm is
written in Visual Basic and compressed with Petite file
compressor. The size of compressed worm is 12208 bytes.
When the worm's file is started it shows a fake error message:
Error54: Media Player not installed correctly
The worm copies itself to TEMP folder of Windows, adds startup
key for that file into System Registry and sends itself to all
recipients of Outlook Address Book and Windows Address Book with
the following message:
Subject:
FW:FW: LILAC project video attach
Body:
Things that the govt. dont want you to know
Attachment:
LILAC_WHAT_A_WONDERFULNAME.avi.exe
The worm has bugs in its code and can fail to send its
attachment. In this case recipients will get an empty EXE file.
Also the worm changes Windows owner information to 'xEnOcrAtEs'
and sets logon text to 'Owned by: xEnOcrAtEs'. The worm can
display a message:
'Your PC is infected with LILAC virus by: xEnOcrAtEs'
Disinfection Instructions:
Delete all LILAC_WHAT_A_WONDERFULNAME.avi.exe files from your
hard drive and restart your computer. If the file can't be
deleted from Windows (locked), you can delete it from pure DOS
(if you have Windows 9x system) or you can rename it with a
different extension and restart your system (in case you have
NT-based system). After restart you will be able to delete the
renamed file.
F-Secure Anti-Virus detects Lilac worm as 'I-Worm.Calil' with
the updates published on 9th of July 2002.
[FSAV_Database_Version]
Version=2002-07-09_01
[Analysis: Alexey Podrezov; F-Secure Corp.; July 8th, 2002]
|
![](/images/pixel.gif"){kind=tracking}
