Content
W32/Lewor.a
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 11/14/2006
- Length
- 28,672 bytes
- Minimum DAT
- 4895 (11/14/2006)
- Updated DAT
- 4895 (11/14/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 11/14/2006
- Description Modified
- 01/07/2007 6:06 PM (PT)
Tab Navigation
Characteristics
This virus is now being detected as a variant of W32/Fujacks.
W32/Lewor.a is a parasitic file infector that can spread over USB storage devices, network drives, shared folders and QQ instant messenging. It also has a downloader component that installs additional malware on the infected machine.
Remote Download
Upon execution, W32/Lewor.a contacts the a user profile website on bbs.qq.com. This webpage may contain an encrypted malware URL used by the virus.
(bbs.qq.com is a legitimate website used by QQ instant messenging users, which is massively popular in China)
It follows that additional malware is downloaded from a website hosted on whboy.net. At the time of writing, the downloaded malware was found to be W32/Realor.worm.
Media and Network Propagation
W32/Lewor.a scans network drives and USB storage devices and prepends a copy of the virus onto Win32 executable (*.exe) files. It may also make a copy of itself onto USB storage devices and creates an autorun.inf file to autostart the virus on other Windows machines.
Other network shares on the LAN are scanned and W32/Lewor.a may access default shares using a list of known weak passwords. It then makes an attempt to schedule a remote task over NetBIOS. When successful, W32/Lewor.a can execute on he targeted machines.
It may also send rogue hyperlinks over QQ instant messenger to the victim's contact list. These hyperlinks typically contain IE exploits such as VBS/Psyme, Exploit-MS06-14.
(QQ is an instant messenging network commonly used in China)
Process Termination
When run with sufficient system permissions, W32/Lewor.a may attempt to terminate and disable the following processes:
- QQKav
- QQAV
- VirusScan
- Symantec AntiVirus
- iDuba
- Wrapped gift Killer
- Winsock Expert
- IceSword
- Mcshield.exe
- VsTskMgr.exe
- naPrdMgr.exe
- UpdaterUI.exe
- TBMon.exe
- scan32.exe
- Ravmond.exe
- CCenter.exe
- RavTask.exe
- Rav.exe
- Ravmon.exe
- RavmonD.exe
- RavStub.exe
- KVXP.kxp
- KvMonXP.kxp
- KVCenter.kxp
- KVSrvXP.exe
- KRegEx.exe
- UIHost.exe
- TrojDie.kxp
- FrogAgent.exe
- avp.exe
- IAMAPP.EXE
- NISUM.EXE
- IAMSTATS.EXE
- LUSPT.exe
- ccApp.exe
- ccEvtMgr.exe
- ccPxySvc.exe
- NISSERV.EXE
- .. and other Chinese security software
Additional applications that are launched after W32/Lewor.a is executed may also be prevented from executing.
Symptoms
Method of Infection
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This virus is now being detected as a variant of W32/Fujacks.
W32/Lewor.a is a parasitic file infector that can spread over USB storage devices, network drives, shared folders and QQ instant messenging. It also has a downloader component that installs additional malware on the infected machine.
Characteristics
Characteristics -
This virus is now being detected as a variant of W32/Fujacks.
W32/Lewor.a is a parasitic file infector that can spread over USB storage devices, network drives, shared folders and QQ instant messenging. It also has a downloader component that installs additional malware on the infected machine.
Remote Download
Upon execution, W32/Lewor.a contacts the a user profile website on bbs.qq.com. This webpage may contain an encrypted malware URL used by the virus.
(bbs.qq.com is a legitimate website used by QQ instant messenging users, which is massively popular in China)
It follows that additional malware is downloaded from a website hosted on whboy.net. At the time of writing, the downloaded malware was found to be W32/Realor.worm.
Media and Network Propagation
W32/Lewor.a scans network drives and USB storage devices and prepends a copy of the virus onto Win32 executable (*.exe) files. It may also make a copy of itself onto USB storage devices and creates an autorun.inf file to autostart the virus on other Windows machines.
Other network shares on the LAN are scanned and W32/Lewor.a may access default shares using a list of known weak passwords. It then makes an attempt to schedule a remote task over NetBIOS. When successful, W32/Lewor.a can execute on he targeted machines.
It may also send rogue hyperlinks over QQ instant messenger to the victim's contact list. These hyperlinks typically contain IE exploits such as VBS/Psyme, Exploit-MS06-14.
(QQ is an instant messenging network commonly used in China)
Process Termination
When run with sufficient system permissions, W32/Lewor.a may attempt to terminate and disable the following processes:
- QQKav
- QQAV
- VirusScan
- Symantec AntiVirus
- iDuba
- Wrapped gift Killer
- Winsock Expert
- IceSword
- Mcshield.exe
- VsTskMgr.exe
- naPrdMgr.exe
- UpdaterUI.exe
- TBMon.exe
- scan32.exe
- Ravmond.exe
- CCenter.exe
- RavTask.exe
- Rav.exe
- Ravmon.exe
- RavmonD.exe
- RavStub.exe
- KVXP.kxp
- KvMonXP.kxp
- KVCenter.kxp
- KVSrvXP.exe
- KRegEx.exe
- UIHost.exe
- TrojDie.kxp
- FrogAgent.exe
- avp.exe
- IAMAPP.EXE
- NISUM.EXE
- IAMSTATS.EXE
- LUSPT.exe
- ccApp.exe
- ccEvtMgr.exe
- ccPxySvc.exe
- NISSERV.EXE
- .. and other Chinese security software
Additional applications that are launched after W32/Lewor.a is executed may also be prevented from executing.
Symptoms
Symptoms -
Method of Infection
Method of Infection -
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
