Aliases: Backdoor.Lorac, Worm.Win32.Eyeveg.a, W32/Eyeveg.worm, Email-Worm.Win32.Eyeveg.b, Win32/Eyeveg.C
Variants: Backdoor-AYU, BKDR_LORRAC.A, Troj/Eyeveg-A, Worm.Win32.Eyeveg, [email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 21 Aug 2003
Damage: Low

Characteristics: The W32.Lorac may arrive at a vulnerable computer system as a file attachment from a spiked email message. This Worm may take the form of a ZIP file format which is accompanied by a bogus message body which is intended to prompt the computer user to extract and run its contents to infect the machine. This particular malware is a network aware threat which allows it to take advantage of HTTP-based processes.

More details about W32.Lorac

As a network aware Worm, this can be used by its malicious author to exert unobstructed control over an infected computer system using an active Internet connection. The W32.Lorac has been observed to exploit a Multipurpose Internet Mail Extension vulnerability of the operating system. This loophole takes advantage of the functionality of allowing the launching of MIME-based applications within HTML file formats. The W32.Lorac extracts an executable file with the filename based on the volume serial number allowing it to take on different appearances in every compromised machine. The file is normally stored in the same directory folder as the operating system. The W32.Lorac also modifies the Windows Registry by adding its own key value to allow it to launch together with the operating system.

The W32.Lorac uses the Windows Registry to include an instance of itself into the Startup folder and will attempt to mimic a legitimate operating system process. The W32.Lorac makes use of an internal Simple Mail Transfer Protocol engine to send dubious email notifications to various addresses. It has been observed to download at certain intervals files from specific websites. The file is made up of instructions that control the behavior of the execution of the malware. Based on the commands received from this file, the W32.Lorac may execute any action from gathering system information to launching of arbitrary applications.