[Virenwarnung] W32.Liac.A@mm

#1 W32.Liac.A@mm is a mass-mailing worm that is written in Visual Basic. When the worm is executed, it attempts to use Microsoft Outlook to send email to all contacts in the Windows Address Book (.wab). The worm has been packed using a known executable file packer.The size of the worm is about 12 KB packed and about 40 KB unpacked.

Also Known As: W32.Liac@mm, WORM_LIAC.A [Trend], W32/Calil-A [Sophos], W32/Liac@MM [McAfee]
Type: Worm
Infection Length: 12,208 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux


Distribution

Subject of email: FW:FW: LILAC project video attach
Name of attachment: LILAC_WHAT_A_WONDERFULNAME.avi.exe
Size of attachment: 12,208 bytes

Technical details

When W32.Liac.A@mm is executed, it does the following:

It displays this message:

Title bar: Windows
Message: Error54: Media Player not installed correctly

Next, it attempts to copy itself to the Windows temporary folder. It does this by trying these hardcoded folder names:


C:\Win98\Temp
C:\Win95\Temp
C:\Winnt\Temp
C:\Winme\Temp
C:\Winxp\Temp
C:\Windows\Temp

Next, so that the worm is executed each time that you start Windows, it attempts to add the value

Lilac

to the registry key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

NOTE: Due to bugs in the worm's code, some or all of these attempted actions may not happen.

Next, the worm attempts to use Microsoft Outlook to email all contacts in the Windows Address Book. The email that it sends out will appear as follows:

Subject: FW:FW: LILAC project video attach
Message: Things that the govt. dont want you to know
Attachment: LILAC_WHAT_A_WONDERFULNAME.avi.exe

There are some bugs in this routine. Therefore, in some cases, 0 byte executable files may be attached. In other cases there may not be any attachment.

Finally, the worm attempts to add or modify the following values, as shown:

RegisteredOwner xEnOcrAtEs
LegalNoticeCaption Owned by:
LegalNoticeText Owned by: xEnOcrAtEs

in the registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion

On some occasions, the worm may display this message:

Your PC is infected with LILAC virus by: xEnOcrAtEs

Removal Instructions

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.


1. Update the virus definitions, run a full system scan, and delete all files that delete all files that are detected as W32.Liac.A@mm
2. Delete the value

Lilac

from the registry key

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Update the virus definitions, run a full system scan, and delete all files that that are detected as W32.Liac.A@mm. For details on how to do this, read the following instructions. (Quelle: symantec.com)
__________
powered by http://different-thinking.de - Netze, Protokolle, Sicherheit, ...

#2 hallösche :-)

folgendes: ich hatte letztens auf meinem c:\ laufwerk einen ähnlichen virus , ich fand eine textdatei mit dem inhalt "PATCH THE LEAKS OR THE SHIP WILL SINK !"
und im windows/media orner fand ich 5-6 exe dateien , auf die norton erst anschlug als ich versuchte sie zu löschen.......
im namen hatten sie alle dieses w32.*irgendwas*

wie auch immer ich gehe mal schwer davon aus , das sich jemand ein wenig auf meiner möhre ausgetobt hat, obwohl ich keine weitern enderungen vorfand....

mfg
schneemann

win98se, norton antivirus, norton pfirewall, zonealarm

#3 ja ich weiss das d und das ä , aber vergesst nicht :
BACKSPACE IST LAME :-)