Discovered: December 17, 2004
Updated: December 17, 2004 4:07:41 PM
Systems Affected: Windows

W32.Looked is a worm that propagates through shared folders, downloads a file, and infects .exe files.

Discovered: December 17, 2004
Updated: December 17, 2004 4:07:41 PM
Systems Affected: Windows

W32.Looked is a worm that propagates through shared folders, downloads a file, and infects .exe files.

The worm kills the Zone Alarm firewall and the following processes:
Ravmon.exe
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
IPARMOR.EXE

When a file infected with W32.Looked is executed, the worm drops a file called virDll.dll to the current folder.

The dropped dll is injected into Internet Explorer and downloads a password stealer from http://www.lookde5.com/1.exe.

The worm searches for .exe files to infect in all the drives on the computer from the C drive onwards. The worm will not infect .exe files in folders with the following substrings in their name:
system
windows
Documents and Settings
System Volume Information
Recycled
winnt
\Program FilesWindows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
MSN
Microsoft Frontpage
Movie Maker
MSN Gaming Zone

The worm may attempt to prepend itself to any .exe files that it finds on the computer, except those named "IEXPLORE.EXE" or "EXPLORER.EXE". The size of infected files is increased by 62,976 bytes. Infected files have an icon that is similar to one used for zip files.

The worm creates a copy of itself as %Windir%\Logo1_.exe.

The worm then attempts to copy itself to IPC$ and ADMIN$ shares on the network, where the administrator or guest passwords are blank.

The worm may send ICMP traffic containing the string "Hello,World" to 192.168.0.30 and 192.168.8.1.