|
Monday, 10 January 2005 |
W32.Looked.B is a worm that downloads a file and then infects .exe files. The worm also spreads through shared folders.
Type: Virus, Worm
Infection Length: 67,072 bytes (.exe), 17,920 bytes (.dll)
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
When W32.Looked.B is executed, it performs the following actions:
Adds the value:
"auto" = "1"
to the following registry entry:
HKEY_LOCAL_MACHINESoftwareSoftDownloadWWW
Disables the Zone Alarm firewall
Stops the following security-related processes:
Ravmon.exe
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
IPARMOR.EXE
Injects the dropped .dll into Internet Explorer.
Downloads a password stealer from the domain www.twavgirl.com and saves it as %Windir%1.exe.
Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:Windows or C:Winnt.
Searches for .exe files to infect in all the drives on the computer from the C drive onwards.
The worm will not infect .exe files in folders with the following substrings in their name:
system
system32
windows
Documents and Settings
System Volume Information
Recycled
winnt
Program Files
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
MSN
Microsoft Frontpage
Movie Maker
MSN Gaming Zone
Prepends itself to any .exe files that it finds on the computer, except the following:
IEXPLORE.EXE
EXPLORER.EXE
The size of an infected file is increased by 67,072 bytes. The icon of infected files is similar to the image used for .zip files.
Creates a copy of itself as %Windir%Logo1_.exe.
Drops a file called virDll.dll in the current folder, when a file infected with W32.Looked.B is executed.
Copies itself to the following network shares that have blank guest and administrator passwords:
IPC$
ADMIN$
Sends ICMP traffic containing the string "Hello,World" to the following IP addresses:
192.168.0.30
192.168.8.1
Redirects Web sites by adding the following text to the hosts file:
66.197.186.149 www.hinet.net
66.197.186.149 www.pchome.com.tw
66.197.186.149 www.msn.com.tw
66.197.186.149 www.yam.com
66.197.186.149 www.google.com.tw
66.197.186.149 www.gamer.com.tw
66.197.186.149 www.taiwankiss.com
66.197.186.149 www.sina.com.tw
66.197.186.149 www.so-net.net.tw
66.197.186.149 www.uhome.net
66.197.186.149 www.gamania.com
66.197.186.149 www.104.com.tw
66.197.186.149 www.tp.edu.tw
66.197.186.149 www.seed.net.tw
66.197.186.149 www.tw18.com
66.197.186.149 www.gamebase.com.tw
66.197.186.149 www.hello.com.tw
66.197.186.149 www.taiwandns.com
66.197.186.149 www.ithome.com.tw
66.197.186.149 www.cartoonnetwork.com.tw
66.197.186.149 bubble.com.tw
66.197.186.149 tw.ebay.com
66.197.186.149 www.microsoft.com
66.197.186.149 www.oc-gamer.com
66.197.186.149 www.igame.com.tw
66.197.186.149 www.funtown.com.tw
66.197.186.149 www.softstar.com.tw
66.197.186.149 service.gamania.com
66.197.186.149 www.gamezone.idv.tw
66.197.186.149 www.ggame.com.tw
66.197.186.149 www.gamestation.com.tw
66.197.186.149 www.lineage2.com.tw
66.197.186.149 tw.games.yahoo.com
66.197.186.149 www.iogc.com.tw
66.197.186.149 www.transakt.com.tw
66.197.186.149 www.softking.com.tw
66.197.186.149 groups.msn.com
66.197.186.149 www.mofa.com.tw
66.197.186.149 dir.pchome.com.tw
66.197.186.149 www.sa.game.tw
66.197.186.149 www.books.com.tw
66.197.186.149 www.gamemaster.com
66.197.186.149 www.newspace.com.tw
66.197.186.149 www.e-box.net.tw
66.197.186.149 gnn.gamer.com.tw
66.197.186.149 pc.gamebase.com.tw
66.197.186.149 twbbs.net.tw
66.197.186.149 www.twindex.com.tw
66.197.186.149 www.t2t.com.tw
66.197.186.149 www.girl-tw.com
66.197.186.149 www.sogi.com.tw
66.197.186.149 hdvd.com.tw
66.197.186.149 cgi.tw.ebay.com
66.197.186.149 movie.kingnet.com.tw
66.197.186.149 www.atmovies.com.tw
66.197.186.149 www.movie.com.tw
66.197.186.149 www.kokoro.com.tw
66.197.186.149 www.twgirls.net
66.197.186.149 bbs.vips.com.tw
66.197.186.149 www.symantec.com
66.197.186.149 www.symantec.com.tw
66.197.186.149 liveupdate.symantecliveupdate.com
|
