Aliases:  W32/Ladex.worm [McAfee], Worm.Win32.Ladex.a [KAV], Worm.Win32.Ladex.b [KAV], WORM_LADEX.A [Trend], W32/Ladex-A [Sophos], W32/Ladex-B [Sophos], Win32.Ladex [CA]
Variants: WNT.YdalBug.Worm

Classification: Malware
Category: Computer Worm

Status: dormant
Spreading: slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: easy
Platform: W32
Discovered: 08 Jul 2002
Damage: Low

Characteristics: W32.Dalbug.Worm is a worm that automatically spreads and targets computers and/or laptops with open user accounts and shares. It installs itself remotely as a service on the victim's computer.

More details about W32.Dalbug.Worm

The W32.Dalbug.Worm program installs itself remotely as a service on the victim's computer. Since July 9, 2002, this worm has been detected as WNT.YdalBug.Worm. This worm also tries to open computer's Service Control Manager. It installs itself as a service. It contains this characteristics, “Service name: NtLmHosts,”Display name: TCP/IP NetBIOS Provider,”Description: Provides NetBIOS over TCP/IP (NetBT) service support for NetBIOS name resolution” and “Path: %windir%\System32\lmhsvc.exe.” This worm also copies itself to the windows system folder so that it could also run every time the Windows starts. The worm software can also search for folders shared on peer-to-peer (P2P) networks. It typically places infected archive files in folders with the words downloads, share and incoming. The files are labeled as retail software that has been hacked so they can be used free.

This software typically enters the system via e-mail. Users may receive spam e-mails. They may be led to believe that the message comes from someone they know. This application may also record information and send them to a remote server. It can record program windows and log data from these as well. Security software may also be disabled.