W32.Libi


Aliases: Win32.HLLW.Libido, TROJ_LIBIDO.A, W32.Bilido.Worm
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 10 May 2002
Damage: Low

Characteristics: W32.Libi is a worm that attempts to copy itself to drive A using different names. Definitions prior to May 15, 2002 detected this threat as W32.Bilido.Worm.

More details about W32.Libi

When the worm W32.Libi is executed, it copies itself to the System folder as Runing.exe. It also adds a value to the registry to ensure that it runs at startup. It opens the program Regedit.exe with exclusive mode. This denies read and write access to other processes. Regedit.exe cannot be launched by the user while the worm is running. It also creates the value SubCount to the registry. This value is used by the worm as a self-execution counter. When this counter reaches 100 after being executed 100 times, W32.Libi prevents access to some drives on the local computer. It does this by repeatedly sending the "lock volume" request to the Vwin32 device driver. Every 10 minutes, the worm attempts to save itself to drive A using filenames like Libido.exe, Sexo gratis.exe, Porno gratis.exe, Chistes.exe, Sexo virtual.exe, etc.

Some of the payloads of the W32.Libi program include the exhibition of ads that persistently pops up on the computer screen, activation of backdoors, slowing down of the computer, alteration of the default homepage of the Web browser and redirection of searches to Web sites with apprehensive contents. Aside from the computer’s registry, the W32.Libi program also targets the computer’s system resources in implementing malicious process. It produces a drain in the system, which leads to slower Internet connections and overall cutback in the performance of the computer.