W32.Lofni.Worm


Aliases: W32.Lohack.B.Worm, W32/Noala@MM, W32/Noala.gen@MM, i-worm.WinSux, WORM_ARRET.A
Variants: Email-Worm.Win32.Ticton, I-Worm/Ticton.A, Win32.Zamacs.A@mm, Worm/Ticton.1, Worm:Win32/Ticton.A@mm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: South America, Europe, Asia
Removal: Hard
Platform: W32
Discovered: 14 Jul 2003
Damage: Low

Characteristics: According to most antivirus vendors, there are primarily two transport mechanisms that are identified with this threat. The W32.Lofni.Worm normally uses mass mailing functionality or hijacking weakly protected network shares to spread its codes to other computer systems and network environments. Email addresses are usually harvested by this malware from the contents of the Windows Address Book of the infected computer system. The email file attachment has either a SCR or an EXE file extension.

More details about W32.Lofni.Worm

When this Worm is executed in a compromised environment, it will attempt to create a text file and store it on the root directory of the main hard drive. The contents of the text file generated by the W32.Lofni.Worm is commonly written in the Spanish language. It will create two more text files after that and will be stored in the same location. The W32.Lofni.Worm will display the contents of the first text file on the computer screen. Simultaneously, two executable files will be created by the malware in the directory folder of the operating system and attempt to register itself as a legitimate operating system process. This is presumed to be done by the W32.Lofni.Worm in to conceal its malicious activities from the user.

The W32.Lofni.Worm will create a corresponding key value in the Windows Registry providing it with the ability to load on system boot up or startup. The Windows Registry is also used by the W32.Lofni.Worm to inspect the .NET email accounts that are present in the machine which can be used to spread its codes. This malware will attempt to check for an active Internet connection in 10 second intervals by using the ping command. The W32.Lofni.Worm will attempt to enumerate, establish a connection, and replicate unrestricted network shares. It will try and modify the initialization file of the operating system.