Aliases: W32/Listas.worm
Variants: N/A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: N/A
Geographical info: North America
Removal: N/A
Platform: W32
Discovered: 24 May 2002
Damage: N/A

Characteristics: W32.Listas is a Trojan horse. It may allow unauthorized access to an infected computer. It may allow a hacker to access sensitive information on the computer through the use of email. It is compressed with ASPACK and written in Delphi.

More details about W32.Listas

W32.Listas spreads through floppy disks. W32.Listas makes a copy of itself on a floppy disk. The Trojan cannot automatically run from a floppy disk. The Trojan file would have to copy Listasfg.exe from a floppy disk to a hard drive. To ensure that it runs every Windows startup, the Trojan adds values to the registry. It also adds a line to the Win.ini. W32.Listas searches for the files Smdata.dat and WS_ftp.ini in the hard drive. Passwords are stored in the file Smdata.dat by the program CuteFTP. It uses a simple character substitution and an encryption table that is easily decrypted. Windows Sockets FTP stores encrypted passwords in the file WS_ftp.ini. The Trojan has its own SMTP engine. It uses it to email the passwords that it finds in these two files, including the victim's user information, to an email addresses predefined by the hacker.

The W32.Listas application first arrives in to the computer via the IRC channels. The remote hacker may disguise the program into a desirable application to mislead the user in to downloading and executing it. The W32.Listas application may also slow down computer response. This is because the program eats up system resources resulting to slow computer performance. The application utilizes a polymorphic engine. The polymorphic engine generates virus codes that change its name from time to time.