Aliases: Worm.Win32.Lemoor.a, W32/Lemoor.gen, W32.Lemoor.A, W32/Lemoor-A, Win32/HLLW.Lemoor.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 11 Jul 2004
Damage: Low

Characteristics: W32.Lemoor.A is a worm. It propagates via the Internet by exploiting a vulnerability in the FTP server component of the W32.Sasser family of worms. Lemoor is written in Assembler and is FSG packed. Lemoor only infects computers which have been infected by Sasser.

More details about W32.Lemoor.A

When executed, the worm W32.Lemoor.A registers itself in the system registry to ensure that it is run each time the system is launched. It creates an overlapped socket for intercepting SMB packets from W32.Sasser variants in order to attack other hosts. Then, it retrieves the IP addresses of infected computers from the data it intercepts from W32.Sasser variants. It sends a broadcast and waits for responses from machines infected by Sasser. It utilizes a vulnerability in the FTP server installed by Sasser when it receives an answer from a victim machine. It then launches its command shell on a randomly chosen port. Afterwards, it sends its body to the victim machine and launches it. It does not have any other payload. It is only programmed to propagate.

The W32.Lemoor.A program can be manually installed by the user. The installer component of the application is often acquired as a freeware program from download sites on the Internet. The W32.Lemoor.A application may also utilize other distribution channels such as e-mail, peer-to-peer (P2P) file sharing networks, instant messaging tools and shared resources on the Local Area Network (LAN). The installation of the program provides an End User License Agreement (EULA). The EULA presented in the installation procedure does not fully disclose all the functions of the application.