F-Secure Virus Descriptions : Worm.P2P.Lolol
This worm spreads via the Kazaa file sharing network.
The worm has a powerful backdoor routine which connects to an IRC channel and listens to
commands from its "master".
The worm itself is a Windows PE EXE file about 60Kb of length written in Microsoft Visual C++.
When infected file starts, the installation routine gets control.
Installation
While installing the worm copies itself to Windows system directory with the "syscfg32.exe"
name and registers that file in two system registry auto-run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Configuration Loader = syscfg32.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Configuration Loader = syscfg32.exe
Spreading
The worm copies itself to following directories:
C:\program files\kazaa\my shared folder\
C:\program files\kazaa lite\my shared folder
C:\My Downloads\
with following names:
play station emulator crack.exe
play station emulator.exe
warcraft 3 serials.pif
warcraft 3 crack.exe
100 free essays school.pif
aol password cracker.exe
aim password cracker
aol cracker.exe
aim cracker.exe
steal usernames.exe
how to hack.exe
divx pro.exe
how to use a shell.pif
Virtua Girl (Full).exe
worldbook.exe
GTA 3 Serial.exe
GTA 3 Crack.exe
gta3.exe
driver.exe
virtua girl - adriana.pif
virtua girl - bailey short skirt.pif
e.t.c. (total about 80 different names).
NOTE: F-Secure Anti-Virus definition to detect Lolol will be
published on Monday the 9th of December.
[Analysis: Kaspersky Lab, December 2002]
|
