Aliases: WORM_LITAR.A, Win32:Trojan-gen, I-Worm/Litar, [email protected], Win32/Litar.A
Variants: Email-Worm.MSIL.Litar, I-Worm.Litar, W32/Litar, W32/RoseGard-A, Win32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 14 Jul 2002
Damage: Low

Characteristics: The W32.Litar.Worm belongs to a family of mass mailing Worms which can only deliver its full functionality if the .NET Framework components are installed in the infected computer system. Like most mass mailers, this malware harvests information from the address book and targets all contacts in the list. It always attaches an executable file which it prompts the computer user to launch to initiate infection in the vulnerable machine.

More details about W32.Litar.Worm

On its first execution the malware will check if the computer system has already been previously exposed to its codes. It searches for a specific log file which marks an infected computer system. If the log file is not found in the machine, the W32.Litar.Worm will create it with the contents stating the actual date when the Worm was introduced into the machine. The log file only contains textual contents and will never be detected as a threat by any antivirus application. The W32.Litar.Worm will create its executable file into the same directory folder used by the operating system. The Windows Registry will be modified by the W32.Litar.Worm by adding a new key value which will allow it to load automatically with the operating system.

This particular threat has the distinction of being the first malware to make use only of the .NET Framework component without requiring additional elements from the Visual Basic Script platform. The W32.Litar.Worm uses Visual Basic Script to perpetrate its mass mailing operations. It makes use of the default email client of the operating system and relies on its address book entries in order to target other computer systems. The W32.Litar.Worm includes the name of the recipient in the subject line of the email message and its executable file is also included.