Aliases: Virus.Win32.Delf.62976, W32/HLLP.Philis.j, Net-Worm.Win32.Zorin.a, Worm.Win32.Zorin.a, W32.Looked.B
Variants: Win32.HLLW.Looked, W32/LegMir-X, PE_LEOX.A, BehavesLike:Win32.FileInfector, NewHeur_PE

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 17 Dec 2004
Damage: Medium

Characteristics: The W32.Looked is designed with certain similarities to viruses in the context that it attempts to target and infect files that use the EXE file extension. It scans the contents of the infected machine to search for more executable files. It has been observed by various computer experts to spread its codes using mainly shared folders as transport mechanism. This malware is capable of downloading files into the infected computer system and executing it.

More details about W32.Looked

Computer systems which are infected with the W32.Looked will experience the illegal terminations of certain security firewall programs running in the machine. The malware will also attempt to stop other security related processes active in the computer system background. This routine is intended to lower the system's security settings and make it more vulnerable to attack. The W32.Looked will create a new Dynamic Link Library file into its directory folder location and uses it to hook functionalities of the Web browser. The hooked browser will be used to download a password thief malware that will be introduced into the already infected machine. Executable files in all logical, removable, and network drives identified in the compromised computer system will be corrupted by the W32.Looked malware.

The malicious author of the W32.Looked malware designed the threat to avoid infecting executable files stored in directory locations that contain specific text strings. This is presumed to be a ploy to maintain the infected computer system's operation to make it a transport mechanism to spread infection. A file infected by the W32.Looked will experience an increase in size due to the additional codes that are added at the beginning of the file. An executable file copy of itself will be placed into the operating system directory. The W32.Looked will use unprotected network shares to send a copy of itself.