WORM_VB.FKO commonly known as LeChuck.exe
File type: PE
Memory resident: Yes
Size of malware: 102,840 Bytes
Initial samples received on: Aug 29, 2007
Payload 1: Downloads files
Arrival
This worm is dropped by other malware. It is downloaded unknowingly by a user when visiting malicious Web sites.
Installation
This worm drops the following copies of itself:
%System%\cmd.com
%System%\LeChucK.exe
%System%\wins.exe
%Windows%\regedit.com
%Windows%\spolis.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
It drops the following non-malicious files/components:
%System%\CC.dll
%System%\LeChucK.hta
%System%\zip32.dll
Autostart Techniques
This worm employs registry shell spawning so that it executes when files of certain types are run. It does this by creating some registry entries.
This worm creates registry entries to disable Task Manager.
This worm drops copies of itself in all physical and removable drives.
It also drops AUTORUN.INF to execute its dropped copies when the said drives are accessed.
The file AUTORUN.INF file contains the following strings:
OPEN=%windows%\Spolis.exe
shell\open=Abrir
shell\open\Command=%windows%\Spolis.exe
shell\open\Default=1
shell\explore=Explorar
shell\explore\Command=%windows%\Spolis.exe
Affected Platforms
This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment