Content
W32/Loxar.worm.gen!p2p
- Type
- Virus
- SubType
- Internet Worm
- Discovery Date
- 10/25/2002
- Length
- Various
- Minimum DAT
- 4231 (10/30/2002)
- Updated DAT
- 4279 (07/23/2003)
- Minimum Engine
- 5.1.00
- Description Added
- 10/17/2003
- Description Modified
- 10/17/2003 7:41 AM (PT)
Tab Navigation
Characteristics
This detection is for a worm written in Borland Delphi that is intended to propagate via:
- P2P networks
- Floppy disks
- Network shares (mapped)
Multiple variants of this worm exist, the latter ones requiring more recent DATs for detection. Users are recommended to use the latest engine/DATs combination for optimal detection.
The main characteristics of this family of worms are as follows:
- Copy themselves multiple times into the KaZaa folder
- Copy themselves to the floppy drive
- Copy themselves to mapped network drives
- Terminate various processes on the victim machine (AV/security products)
Latter variants are also intended to mail themselves using Outlook Express to construct outgoing messages on the victim machine.
Exact details (filenames, sizes, Registry key names etc) will vary between variants. The description below is specific to the first variant.
Filenames used in Propagation
The following filenames are used by the worm in propagation (see below):
- xex0x.exe
- xer0x.exe
- x3rox.exe
- x3r0x.exe
- xerox.com
- xer0x.com
- x3rox.com
- x3r0x.com
Installation
The worm copies itself to the root of the C: drive using one of the filenames listed above. For example:
C:\XER0X.COM
A Registry hook is added to run the worm at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "xerox" = c:\xer0x.com
The following Registry key is added:
HKEY_LOCAL_MACHINE\SOFTWARE\xerox
Network Share Propagation
The worm copies itself to the root of mapped network shares (D: to Z:) using one of the filenames listed above.
Latter variants drop an AUTORUN.INF file to accompany the copy of the worm, in an attempt to get Windows to automatically run the worm when the folder is browsed. The AUTORUN.INF file is constructed as such:
[AUTORUN]
open=(filename used by worm)
P2P Replication
The worm copies itself to the folder typically shared by default by KaZaA:
C:\PROGRAM FILES\KAZAA\MY SHARED FOLDER\
The following filenames are used in order to entice others into running the worm:
- SEX MOVIES.mpeg.exe
- 9 naked girls.exe
- teen sex.mpeg.exe
- rapes video.mpeg.exe
- teen blow jobs.exe
- sex sex sex.exe
- buffy nude.exe
- britney naked.exe
- gutter sluts.exe
- XXX.exe
Latter variants use many more filenames. All are of an enticing nature (for example, sexual or application cracking) though.
Floppy Worm
The worm also attempts to copy itself to A:, again using one of the "xer0x-based" filenames listed above. For example:
A:\XER0X.COM
Process Termination
Processes associated with various anti-virus and security applications are terminated by this worm. These include the following:
- _AVPM.EXE
- AMAPP.EXE
- APLICA32.EXE
- AVCONSOL.EXE
- AVP.EXE
- AVPCC.EXE
- BLACKICE.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- ESAFE.EXE
- FRW.EXE
- IAMSERV.EXE
- ICLOAD95.EXE
- ICLOADNT.EXE
- ICMON.EXE
- ICSUPPNT.EXE
- LOCKDOWN2000.EXE
- NAVAPW32.EXE
- NAVW32.EXE
- PCFWALLICON.EXE
- SAFEWEB.EXE
- TDS2-98.EXE
- TDS2-NT.EXE
- TDS2-XP.EXE
- VSECOMR.EXE
- VSHWIN32.EXE
- VSSTAT.EXE
- WEBSCANX.EXE
- ZAPRO.EXE
- ZONEALARM.EXE
Symptoms
Existence of the files and Registry keys detailed above.
Method of Infection
This worm spreads by copying itself to P2P folders, mapped network shares and floppy drives.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.HLLW.Loxar (NAV)
- Worm.P2P.Xerom (AVP)
- WORM_LOXAR (Trend)
Characteristics
Characteristics -
This detection is for a worm written in Borland Delphi that is intended to propagate via:
- P2P networks
- Floppy disks
- Network shares (mapped)
Multiple variants of this worm exist, the latter ones requiring more recent DATs for detection. Users are recommended to use the latest engine/DATs combination for optimal detection.
The main characteristics of this family of worms are as follows:
- Copy themselves multiple times into the KaZaa folder
- Copy themselves to the floppy drive
- Copy themselves to mapped network drives
- Terminate various processes on the victim machine (AV/security products)
Latter variants are also intended to mail themselves using Outlook Express to construct outgoing messages on the victim machine.
Exact details (filenames, sizes, Registry key names etc) will vary between variants. The description below is specific to the first variant.
Filenames used in Propagation
The following filenames are used by the worm in propagation (see below):
- xex0x.exe
- xer0x.exe
- x3rox.exe
- x3r0x.exe
- xerox.com
- xer0x.com
- x3rox.com
- x3r0x.com
Installation
The worm copies itself to the root of the C: drive using one of the filenames listed above. For example:
C:\XER0X.COM
A Registry hook is added to run the worm at system startup:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run "xerox" = c:\xer0x.com
The following Registry key is added:
HKEY_LOCAL_MACHINE\SOFTWARE\xerox
Network Share Propagation
The worm copies itself to the root of mapped network shares (D: to Z:) using one of the filenames listed above.
Latter variants drop an AUTORUN.INF file to accompany the copy of the worm, in an attempt to get Windows to automatically run the worm when the folder is browsed. The AUTORUN.INF file is constructed as such:
[AUTORUN]
open=(filename used by worm)
P2P Replication
The worm copies itself to the folder typically shared by default by KaZaA:
C:\PROGRAM FILES\KAZAA\MY SHARED FOLDER\
The following filenames are used in order to entice others into running the worm:
- SEX MOVIES.mpeg.exe
- 9 naked girls.exe
- teen sex.mpeg.exe
- rapes video.mpeg.exe
- teen blow jobs.exe
- sex sex sex.exe
- buffy nude.exe
- britney naked.exe
- gutter sluts.exe
- XXX.exe
Latter variants use many more filenames. All are of an enticing nature (for example, sexual or application cracking) though.
Floppy Worm
The worm also attempts to copy itself to A:, again using one of the "xer0x-based" filenames listed above. For example:
A:\XER0X.COM
Process Termination
Processes associated with various anti-virus and security applications are terminated by this worm. These include the following:
- _AVPM.EXE
- AMAPP.EXE
- APLICA32.EXE
- AVCONSOL.EXE
- AVP.EXE
- AVPCC.EXE
- BLACKICE.EXE
- CFIADMIN.EXE
- CFIAUDIT.EXE
- CFINET.EXE
- CFINET32.EXE
- ESAFE.EXE
- FRW.EXE
- IAMSERV.EXE
- ICLOAD95.EXE
- ICLOADNT.EXE
- ICMON.EXE
- ICSUPPNT.EXE
- LOCKDOWN2000.EXE
- NAVAPW32.EXE
- NAVW32.EXE
- PCFWALLICON.EXE
- SAFEWEB.EXE
- TDS2-98.EXE
- TDS2-NT.EXE
- TDS2-XP.EXE
- VSECOMR.EXE
- VSHWIN32.EXE
- VSSTAT.EXE
- WEBSCANX.EXE
- ZAPRO.EXE
- ZONEALARM.EXE
Symptoms
Symptoms -
Existence of the files and Registry keys detailed above.
Method of Infection
Method of Infection -
This worm spreads by copying itself to P2P folders, mapped network shares and floppy drives.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
