Worm.Win32.Lemoor.a

tag:Internet Worms

0 0

This worm spreads via the Internet, propagating via a vulnerability in the FTP server of Worm.Win32.Sasser.

Only computers which have already been infected by Sasser are vulnerable to Lemoor.

Lemoor is written in Assembler, and is packed using FSG. The packed file is 1985 bytes in size, and the unpacked file is approximately 20992 bytes in size.

Installation

When lanuching, the worm registers itself in the sytem registry, to ensure that it is run each time the system is launched:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   [Ephemeral 2.4] by TreeHugger, = <path to file>

Propagation

The worm sends a broadcast quest and waits for responses from machines infected by Sasser.

When it receives an answer from a victim machine, it utilizes a vulnerability in the FTP server installed by Sasser to launch its command shell on a randomly chosen port. It then sends its body to the victim machine and launches it.

Other

The worm is only programmed to propagate: it does not have any other payload.

previous:Worm.Win32.Leave
previous:Worm.Win32.Lioten

Virus Source from:

New articles

Net-Worm.Win32.Kido.irThe kido worm family creates files autorun.inf and RECYCLED{SID<....>}RANDOM_NAME.vmx on removable drives (sometimes on public network shares) Net-Worm...MS10-061MS10-061 is not categorized as virus, worm, Trojan or backdoor. It is a critical vulnerability in the Windows Print Spooler service on Wind...MS10-062MS10-062 is not categorized as virus, worm, Trojan or backdoor. It is a critical vulnerability in MPEG-4 codec on Windows 2008/vISTA/2003/XP computers, wh...MS10-063MS10-063 is not categorized as virus, worm, Trojan or backdoor. It is a critical vulnerability in the Unicode Script Processor on Windows 2...Autorun.AOLAdditionally, it has backdoor characteristics, as it attempts to connect to an IRC channel in order to receive instructions from its creator, such as downloadin...

Hot Articles

Worm.Win32.Lemoor.a

Computer Virus Clounds