Content
W32/Lovsan.worm.e
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 08/28/2003
- Length
- 6176 bytes (UPX packed)
- Minimum DAT
- 4283 (08/06/2003)
- Updated DAT
- 4323 (02/11/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 08/29/2003
- Description Modified
- 08/29/2003 3:35 AM (PT)
Tab Navigation
Characteristics
This is a trivial variant of W32/Lovsan.worm . It is functionally identical to the original variant. The worm is proactively detected as Exploit-DcomRpc trojan since 4283 DATs (with scanning of compressed files enabled).
It is detected as W32/Lovsan.worm.gen with the 4288 DATs or greater (again with scanning of compressed files enabled).
Specific string content within the worm has been edited, thus modifying filename and Registry key details:
Filename
- MSLAUGH.EXE
Registry key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Windows Automation" = mslaugh.exe
The target of the Denial of Service (DoS) attack (see W32/Lovsan.worm for details) has been changed to:
kimble.org
The worm has been packed with UPX.
NB: Due to the expected rash of copycat worms with minor edits of string content, users are reminded to ensure that the scanning of compressed files is enabled for optimal detection.
This variant contains the following string:
I dedicate this particular strain to me ANG3L - hope yer enjoying yerself and dont forget the promise for me B/DAY !!!!
Symptoms
Presence of the following file in %WinDir%\System32 directory:
MSLAUGH.EXE (6,176 bytes) (worm)
Method of Infection
See W32/Lovsan.worm description.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.Blaster.E.Worm (NAV)
- W32/Blaster-E (Sophos)
- W32/Blaster.worm.e
Characteristics
Characteristics -
This is a trivial variant of W32/Lovsan.worm . It is functionally identical to the original variant. The worm is proactively detected as Exploit-DcomRpc trojan since 4283 DATs (with scanning of compressed files enabled).
It is detected as W32/Lovsan.worm.gen with the 4288 DATs or greater (again with scanning of compressed files enabled).
Specific string content within the worm has been edited, thus modifying filename and Registry key details:
Filename
- MSLAUGH.EXE
Registry key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "Windows Automation" = mslaugh.exe
The target of the Denial of Service (DoS) attack (see W32/Lovsan.worm for details) has been changed to:
kimble.org
The worm has been packed with UPX.
NB: Due to the expected rash of copycat worms with minor edits of string content, users are reminded to ensure that the scanning of compressed files is enabled for optimal detection.
This variant contains the following string:
I dedicate this particular strain to me ANG3L - hope yer enjoying yerself and dont forget the promise for me B/DAY !!!!
Symptoms
Symptoms -
Presence of the following file in %WinDir%\System32 directory:
MSLAUGH.EXE (6,176 bytes) (worm)
Method of Infection
Method of Infection -
See W32/Lovsan.worm description.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
