W32.Looked.P Discovered Today
When W32.Looked.P is executed, it performs the following actions:
- Creates the following files:
- %Windir%\rundl132.exe – a copy of W32.Looked.P
- %CurrentFolder%\vDll.dll – a copy of Downloader
Note:
- %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
- %CurrentFolder% is a variable that refers to the folder where the risk was originally executed.
- Checks for the value:
"auto" = "1"
to the registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW
and either creates the infection marker or exits if it is found.
- Adds the value:
"load" = "%Windir%\rundl132.exe"
to the registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
so that it runs every time Windows starts.
- Attempts to stop the following service:
Kingsoft AntiVirus Service
- Injects its DLL component, vDll.dll, into either iexplorer.exe or explorer.exe.
- Using the DLL component, attempts to download a file from the following location:
[http://]www.wowchian.com/dl[2 LETTERS[REMOVED]
- Searches for .exe files to infect in all the drives from C to Y.
- Prepends itself to any .exe files that it locates on the computer.
- The worm creates the file _desktop.ini in any any directory it has searched for executable files in. This file has the hidden and system attributes set and it stores the date the worm was executed.
- Does not infect .exe files in folders with the following names:
- system
- system32
- windows
- Documents and Settings
- System Volume Information
- Recycled
- winnt
- Program Files
- Windows NT
- WindowsUpdate
- Windows Media Player
- Outlook Express
- Internet Explorer
- ComPlus Applications
- NetMeeting
- Common Files
- Messenger
- Microsoft Office
- InstallShield Installation Information
- MSN
- Microsoft Frontpage
- Movie Maker
- MSN Gaming Zone
- May send ICMP packets containing the string “Hello,World” to the following IP addresses:
- 192.168.0.30
- 192.168.8.1
- May also send ICMP packets to IP addresses in the same range as the IP address of the compromised computer.
- Attempts to open shared folders with the following names, if any computer responds to the ICMP packet:
- \\ipc$
- \\admin$
- Tries to open the shared folder using administrator as the username and a blank password. It copies itself to that folder, if it succeeds in opening the shared folder.
- Enumerates all the computers and shared folders in the local network. The worm uses a blank username and a blank password to open the shared folders.
- Searches for and infects .exe files in the shared folders.
