Content
W32/Lovsan.worm.f
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 09/01/2003
- Length
- 11,808 bytes (Aspack + UPX)
- Minimum DAT
- 4283 (08/06/2003)
- Updated DAT
- 4323 (02/11/2004)
- Minimum Engine
- 5.1.00
- Description Added
- 09/01/2003
- Description Modified
- 09/01/2003 5:17 AM (PT)
Tab Navigation
Characteristics
This is another trivial variant of W32/Lovsan.worm . It is functionally identical to the original variant. The worm is proactively detected as Exploit-DcomRpc trojan since 4283 DATs (with scanning of compressed files enabled).
It is detected as W32/Lovsan.worm.gen with the 4288 DATs or greater (again with scanning of compressed files enabled). Identification as W32/Lovsan.worm.f will be available in the 4291 DATs.
Specific string content within the worm has been edited, thus modifying filename and Registry key details:
Filename
- ENBIEI.EXE
Registry key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run
"www.hidro.4t.com" = enbiei.exe
The target of the Denial of Service (DoS) attack (see W32/Lovsan.worm for details) has been changed to:
tuiasi.ro
This variant of the worm has been packed twice, with UPX then Aspack.
NB: Due to the expected rash of copycat worms with minor edits of string content, users are reminded to ensure that the scanning of compressed files is enabled for optimal detection.
Symptoms
Presence of the following file in %WinDir%\System32 directory:
ENBIEI.EXE (11,808 bytes) (worm)
Method of Infection
See W32/Lovsan.worm description.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32/Blaster.worm.f
Characteristics
Characteristics -
This is another trivial variant of W32/Lovsan.worm . It is functionally identical to the original variant. The worm is proactively detected as Exploit-DcomRpc trojan since 4283 DATs (with scanning of compressed files enabled).
It is detected as W32/Lovsan.worm.gen with the 4288 DATs or greater (again with scanning of compressed files enabled). Identification as W32/Lovsan.worm.f will be available in the 4291 DATs.
Specific string content within the worm has been edited, thus modifying filename and Registry key details:
Filename
- ENBIEI.EXE
Registry key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run
"www.hidro.4t.com" = enbiei.exe
The target of the Denial of Service (DoS) attack (see W32/Lovsan.worm for details) has been changed to:
tuiasi.ro
This variant of the worm has been packed twice, with UPX then Aspack.
NB: Due to the expected rash of copycat worms with minor edits of string content, users are reminded to ensure that the scanning of compressed files is enabled for optimal detection.
Symptoms
Symptoms -
Presence of the following file in %WinDir%\System32 directory:
ENBIEI.EXE (11,808 bytes) (worm)
Method of Infection
Method of Infection -
See W32/Lovsan.worm description.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
