W32/Lamo.worm

Content

W32/Lamo.worm

Type: Virus
SubType: Worm
Discovery Date: 02/02/2006
Length: varies
Minimum DAT: 4688 (02/02/2006)
Updated DAT: 4688 (02/02/2006)
Minimum Engine: 5.1.00
Description Added: 02/02/2006
Description Modified: 02/08/2006 2:37 AM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

Upon execution, the worm copies itself to the following files.

C:\CodeBlack.exe
C:\WINDOWS\system32\CodeBlack.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CodeBlack.exe
A:\CodeBlack.exe

It then deletes the following files in the victim machine.

C:\WINDOWS\system32\Restore\rstrui.exe
C:\WINDOWS\system32\Cmd.Exe
C:\Documents and Settings\All Users\Start Menu\Programs\PC Help & Tools\System Restore.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\dllcache\msconfig.exe
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe

The worm also adds the following registry entries.

HKEY_CURRENT_USER\Software\America Online\ AOL Instant Messenger (TM)\CurrentVersion\Users\IAmGoneList
"GoneMsg0001" = "Playing Game Aim Hacker 1.3 FREE!"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = "http://www.zimlabs.net/[removed].exe"
HKEY_CURRENT_USER\Control Panel\International "s1159" = "??????"
HKEY_CURRENT_USER\Control Panel\International "s2359" = "??????"

Symptoms

Presence of the mentioned files and registry keys

Method of Infection

The worm sends one of the following messages to AOL Instant Messenger users. The message has a link to "http://www.zimlabs.net/[removed].exe" that contains a copy of this worm.

Aim Hacker 1.3 FREE!
Better then limewire and kazaa put together!
Check my Pics Out!
Check out my Hitlist!
Check out my webcam.
Click to join! Better then myspace and xanga!
Cool hacking programs!
Download Aim Optimized 6.1!
Download Dead Aim (6.0+)- NEW!
Download my mp3 i made.
Email Hacker Pro 1.5 This is awsome! :)
Free Aim Password Cracker. Use it to hack your friends.
Funniest Clip Ever!
Game Hacker program download here.
Get X-im Chat! Better then AIM!
Gunner Online. Join and play today!
Have you see this!?
HOLY CRAP! It's a pic of you!
INFINITE FREE PICS OF ASIAN HOTTIES!
Join this free music site!
LMAO OMG THIS IS HILARIOUS!
LMAO! OMG IT'S YOU!
LOL Check these Pics out.
Lol OMG! Someone posted your picture here!
LOL Watch this clip!
LOLOL WTF IS THIS?!
Make your own Profile!
My Profile.
My Xanga!
OMG LOOK IT'S YOU!
Play the new Aim Online game!
ROFL! Check this out!
See my Beach pictures!!
Take my Quiz!
THE KEY TO HAPPINESS IS LAUGHTER!
This game is badass! Play now!
View My BuddyProfile
Wanna See My Profile!

It also attempts to copy itself to the following shared folders.

C:\My Shared Folder\
C:\Program Files\Ares\My Shared Folder\
C:\Program Files\Blubster\My Shared Folder\
C:\Program Files\Edonkey2000\incoming\
C:\Program Files\Files\Kazaa Lite\My Shared Folder\
C:\Program Files\gnucleus\downloads\
C:\Program Files\Grokster\My Shared Folder\
C:\Program Files\ICQ\shared files\
C:\Program Files\iMesh\iMesh5\Data\Playlists\
C:\Program Files\Kazaa\My Shared Folder\
C:\Program Files\KMD\My Shared Folder\
C:\Program Files\limeWire\Shared\
C:\Program Files\Morpheus\My Shared Folder\
C:\Program Files\overnet\incoming\
C:\program files\rapigator\share\
C:\Program Files\Shareaza\Downloads\
C:\Program Files\Tesla\Files\
C:\Program Files\Warez P2P Client\My Shared Folder\
C:\Program Files\winmx\shared\
C:\Program Files\XoloX\Downloads\
D:\My Downloads\
D:\My Shared Folder\
D:\Program Files\bearshare\shared\
D:\Program Files\Edonkey2000\incoming\
D:\Program Files\Files\Kazaa Lite\My Shared Folder\
D:\Program Files\Files\Kazaa\My Shared Folder\
D:\Program Files\iMesh\iMesh5\Data\Playlists\
D:\Program Files\limewire\shared\
D:\Program Files\Morpheus\My Shared Folder\
D:\Program Files\overnet\incoming\
D:\Program Files\Shareaza\Downloads\
D:\Program Files\Warez P2P Client\My Shared Folder\
D:\Program Files\winmx\shared\
E:\My Downloads\
E:\My Shared Folder\
E:\Program Files\bearshare\shared\
E:\Program Files\Edonkey2000\incoming\
E:\Program Files\Files\Kazaa Lite\My Shared Folder\
E:\Program Files\Files\Kazaa\My Shared Folder\
E:\Program Files\iMesh\iMesh5\Data\Playlists\
E:\Program Files\limewire\shared\
E:\Program Files\Morpheus\My Shared Folder\
E:\Program Files\overnet\incoming\
E:\Program Files\Shareaza\Downloads\
E:\Program Files\Warez P2P Client\My Shared Folder\
E:\Program Files\winmx\shared\

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

Upon execution, the worm copies itself to the following files.

C:\CodeBlack.exe
C:\WINDOWS\system32\CodeBlack.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CodeBlack.exe
A:\CodeBlack.exe

It then deletes the following files in the victim machine.

C:\WINDOWS\system32\Restore\rstrui.exe
C:\WINDOWS\system32\Cmd.Exe
C:\Documents and Settings\All Users\Start Menu\Programs\PC Help & Tools\System Restore.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\System Restore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\dllcache\msconfig.exe
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe

The worm also adds the following registry entries.

HKEY_CURRENT_USER\Software\America Online\ AOL Instant Messenger (TM)\CurrentVersion\Users\IAmGoneList
"GoneMsg0001" = "Playing Game Aim Hacker 1.3 FREE!"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page" = "http://www.zimlabs.net/[removed].exe"
HKEY_CURRENT_USER\Control Panel\International "s1159" = "??????"
HKEY_CURRENT_USER\Control Panel\International "s2359" = "??????"

Symptoms

Symptoms -

Presence of the mentioned files and registry keys

Method of Infection

Method of Infection -

The worm sends one of the following messages to AOL Instant Messenger users. The message has a link to "http://www.zimlabs.net/[removed].exe" that contains a copy of this worm.

Aim Hacker 1.3 FREE!
Better then limewire and kazaa put together!
Check my Pics Out!
Check out my Hitlist!
Check out my webcam.
Click to join! Better then myspace and xanga!
Cool hacking programs!
Download Aim Optimized 6.1!
Download Dead Aim (6.0+)- NEW!
Download my mp3 i made.
Email Hacker Pro 1.5 This is awsome! :)
Free Aim Password Cracker. Use it to hack your friends.
Funniest Clip Ever!
Game Hacker program download here.
Get X-im Chat! Better then AIM!
Gunner Online. Join and play today!
Have you see this!?
HOLY CRAP! It's a pic of you!
INFINITE FREE PICS OF ASIAN HOTTIES!
Join this free music site!
LMAO OMG THIS IS HILARIOUS!
LMAO! OMG IT'S YOU!
LOL Check these Pics out.
Lol OMG! Someone posted your picture here!
LOL Watch this clip!
LOLOL WTF IS THIS?!
Make your own Profile!
My Profile.
My Xanga!
OMG LOOK IT'S YOU!
Play the new Aim Online game!
ROFL! Check this out!
See my Beach pictures!!
Take my Quiz!
THE KEY TO HAPPINESS IS LAUGHTER!
This game is badass! Play now!
View My BuddyProfile
Wanna See My Profile!

It also attempts to copy itself to the following shared folders.

C:\My Shared Folder\
C:\Program Files\Ares\My Shared Folder\
C:\Program Files\Blubster\My Shared Folder\
C:\Program Files\Edonkey2000\incoming\
C:\Program Files\Files\Kazaa Lite\My Shared Folder\
C:\Program Files\gnucleus\downloads\
C:\Program Files\Grokster\My Shared Folder\
C:\Program Files\ICQ\shared files\
C:\Program Files\iMesh\iMesh5\Data\Playlists\
C:\Program Files\Kazaa\My Shared Folder\
C:\Program Files\KMD\My Shared Folder\
C:\Program Files\limeWire\Shared\
C:\Program Files\Morpheus\My Shared Folder\
C:\Program Files\overnet\incoming\
C:\program files\rapigator\share\
C:\Program Files\Shareaza\Downloads\
C:\Program Files\Tesla\Files\
C:\Program Files\Warez P2P Client\My Shared Folder\
C:\Program Files\winmx\shared\
C:\Program Files\XoloX\Downloads\
D:\My Downloads\
D:\My Shared Folder\
D:\Program Files\bearshare\shared\
D:\Program Files\Edonkey2000\incoming\
D:\Program Files\Files\Kazaa Lite\My Shared Folder\
D:\Program Files\Files\Kazaa\My Shared Folder\
D:\Program Files\iMesh\iMesh5\Data\Playlists\
D:\Program Files\limewire\shared\
D:\Program Files\Morpheus\My Shared Folder\
D:\Program Files\overnet\incoming\
D:\Program Files\Shareaza\Downloads\
D:\Program Files\Warez P2P Client\My Shared Folder\
D:\Program Files\winmx\shared\
E:\My Downloads\
E:\My Shared Folder\
E:\Program Files\bearshare\shared\
E:\Program Files\Edonkey2000\incoming\
E:\Program Files\Files\Kazaa Lite\My Shared Folder\
E:\Program Files\Files\Kazaa\My Shared Folder\
E:\Program Files\iMesh\iMesh5\Data\Playlists\
E:\Program Files\limewire\shared\
E:\Program Files\Morpheus\My Shared Folder\
E:\Program Files\overnet\incoming\
E:\Program Files\Shareaza\Downloads\
E:\Program Files\Warez P2P Client\My Shared Folder\
E:\Program Files\winmx\shared\

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

W32/Lamo.worm

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer