Selected viruses, spyware, and other threats: sorted alphabetically
| Win32/Lablan.A |
First samples of this worm were detect by NOD32’s Advanced Heuristics on Friday, September 5, 2003.
The worm is coded in Visual Basic programming language and is using a simple string encryption to avoid detection via heuristics.
Infection vector, Actions
The worm spreads mainly via/in the peer-to-peer network such as Kazaa, Grokster and iMesh. It copies its body into shared folders using a number of different names (executable files), such as:
Red alert 2 crack.exe
Sim city 4 crack.exe
Wolfenstein Return to the castle crack.exe
Tomb Raider 1 2 3 4 5 crack.exe
Rollercoaster Tycoon 2 crack.exe
sarah michelle gellar naked.jpg.exe
sandra bullock nude.jpg.exe
anastasia anal.jpg.exe
In addition, it rewrites the existing executable files in aforementioned folders.
The worm is also capable of hiding its body in a .zip file created for that purpose. As a result, it can be distributed in archives.
Finally, it can also copy its body via open shares into the following folders:
"windowsstart menuprogramsstartup"
"windowsmenu startprogramsstartup"
"windowsstart menuprogramma'sopstarten"
"Documents and SettingsAll UsersMenu StartProgramma'sopstarten"
"Documents and SettingsAll UsersMenu StartProgramsstartup"
The worm contains an update routine programmed to download updates from what appears to be an FTP server in the Netherlands. At the moment of this analysis, the server was unavailable.
The worm adds the following values into the registry keys:
HKLMSOFTWAREClassesbatfileshellopencommand(Default)
Value: "C:windowsWinBat.exe %1"
HKLMSOFTWAREClassesWinZipshellopencommand(Default)
Value: "C:progra~1winzipWZExtract.exe %1"
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunServicesComPlus
Applications
Value: "C:winNTComPlus Applications.exe"
HKCUSoftwareMicrosoftWindowsCurrentVersionRunComPlus Applications
Value: "C:winNTComPlus Applications.exe"
As a result, the worm is activated at each computer restart. In addition, the worm implemented a special trick: whenever a .BAT and .ZIP files are ‘executed‘, the worm creates a zip file with a similar name, containing the executable copy of the worm.
NOD32 clients were not affected as the worm was detected by advanced heuristic without any need of virus signature update. NOD32 with the virus signature database, version 1.502 and higher identifies the worm by its name.
© 1992-2004 ESET s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.
