W32.Lile.A


Aliases: W32/Lile-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 30 Sep 2005
Damage: Medium

Characteristics: W32.Lile.A is a file infector worm. It may spread by copying itself into local folders and mapped network drives. It infects files inside peer-to-peer transfer folders and through Instant Messaging programs. The worm may download and execute remote files and tries to perform a Denial of Service (DoS) attack against a specific website.

More details about W32.Lile.A

When W32.Lile.A is executed, it creates files in the System Drive and periodically checks for their presence as an infection marker. It creates the mutex “Leliel_GEDZAC_LABS” so that only one copy of the threat will run on the infected computer. It creates a file named C:\l.reg, runs the Windows registry utility, and modifies the registry to make sure it runs when the user opens .exe and .reg files. The worm also attempts to disable the Windows Firewall, Windows File Protection (SFC) security feature, and the System Restore security feature. It infects .exe files by prepending its code and copying the original file at the end. It attempts to end any running processes which are mostly security related. It attempts to spread to randomly selected drives, except the C drive.

The worm spreads on peer-to-peer networks by searching and infecting executable files located in the system. It attempts to obtain full access to the mapped network folders. It even opens a backdoor using the mIRC client on standard IRC ports. It connects to a predetermined IRC channel and waits for commands from the remote attacker. The W32.Lile.A program has several modes of installation. The unwary user may install the dialer program manually. It may come as a bundled component of other program such as a freeware and shareware program. The application can also exploits security flaws and vulnerabilities found in the system. The computer may also obtain the W32.Lile.A program by accessing pornographic sites and clicking unreliable links. The W32.Lile.A program works on computer with Windows platform. The application may run on Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP operating system.