Home / malwarePDF  

Win32.Worm.Lewor.S


First posted on 21 November 2011.
Source: BitDefender

Aliases :

There are no other names known for Win32.Worm.Lewor.S.

Explanation :

This is actually a trojan written in Delphi that modifies the start page in IE and tries to download and install other malware.

At startup, it modifies the start page, URL history and search URL in IE to point to a XXX site (www.mmmmmm.net). It registers itself under the HKCU SoftwareMicrosoftWindowsCurrentVersionRun key in the system registry. It copies itself in the Windows and System32 directories under the filenames listed under "Symptoms". It attempts to download and start a file named "tmdown.exe" from a XXX site, but the file no longer exists there and the virus exits with error (the downloaded file is not executable, but it is run anyway).

It creates several timers which have various functions:

- one of them keeps an eye on the IE settings, reseting the startpage to his own if the user modifies it
- another one tries to download and start more malware
- there is also a timer which scans for various program windows (under the names QQKav, QQAV, TKillqqvir, ThunderRT6FormDC, Upiea, joyiex, ddqxyz a.o.) and sends them the WM_QUIT message (thereby ending those programs).
The virus also disables the "Task Manager" shortcut that is shown when rightclicking the system bar, trying in this manner to prevent its own termination. It associates itself with the default action for text files (.txt extension) in the registry, so that whenever a text file is open, the virus is run.

The trojan also registers itself as an service process.

Last update 21 November 2011

 

TOP