Aliases: I-Worm.Lohack.c, WORM_LOHACK.C, Worm/Lohack.C, Worm.Lohack.c, W32/Lohack.C@mm
Variants: Email-Worm.Win32.Lohack.d, I-Worm/Lohack.D, Win32/Lohack.D, Worm:Win32/Lohack.C@mm, Worm.Mail.Lohack.c

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: North America, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 20 Jul 2003
Damage: Low

Characteristics: The W32.Lohack.C.Worm belongs to a family of Worms which have the functionality of infecting various Peer to Peer file sharing programs. Computer systems connected to the file sharing server become target of infection. It may also use various email addresses that are stored in the computer system to spread its infection. The spiked email message attempt to mimic a legitimate Windows Update notice to trick the computer user into running its file attachment.

More details about W32.Lohack.C.Worm

Being a malware that preys on Peer to Peer file sharing programs, the W32.Lohack.C.Worm upon execution will generate a copy of itself into the download directory folder of the Peer to Peer file sharing client. It usually makes use of various filenames that are closely associated to legitimate utilities. The mock files created by the W32.Lohack.C.Worm normally have an EXE file extension allowing it to launch upon access by an unsuspecting computer user. An Internet shortcut is created by the malware using the same filename as the executable file but with a URL file extension. The W32.Lohack.C.Worm uses the website links to redirect the Web browser to a virus exchange website that is most probably established by the malicious author.

The computer system which is infected by the W32.Lohack.C.Worm scans for email addresses from file types which are known to store these types of information. Normally the data can be obtained from text, index, database, message, and hypertext file types among others. The email addresses gathered by the W32.Lohack.C.Worm are expected targets of infection by using spiked email messages. The W32.Lohack.C.Worm will usually send email messages using the "Windows Update" subject line and attaching a file extension that has both a TXT and EXE. Clicking on the file attachment will begin its infection routine.