W32.Looked.J

Printer Friendly Page

Discovered: June 16, 2006
Updated: June 16, 2006 8:46:53 PM
Also Known As: W32/Looked-B [Sophos], W32/Looked-D [Sophos], W32/Looked-G [Sophos], W32/Looked-AB [Sophos]
Systems Affected: Windows

W32.Looked.J is a worm that spreads through network shares, attempts to infect .exe files and lowers security settings. It will also attempt to download and execute a remote file by dropping a Trojan component.

Antivirus Protection Dates

  • Initial Rapid Release version June 17, 2006
  • Latest Rapid Release version June 17, 2006
  • Initial Daily Certified version June 17, 2006
  • Latest Daily Certified version June 17, 2006
  • Initial Weekly Certified release date June 21, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Yousef Hazimee

Discovered: June 16, 2006
Updated: June 16, 2006 8:46:53 PM
Also Known As: W32/Looked-B [Sophos], W32/Looked-D [Sophos], W32/Looked-G [Sophos], W32/Looked-AB [Sophos]
Systems Affected: Windows

W32.Looked.J is a worm that spreads through network shares and attempts to infect .exe files. It also lowers security settings.


When the worm is executed, it creates the following files:
%Windir%\rundl132.exe - detected as W32.Looked.J
%CurrentFolder%\vDll.dll - detected as Downloader

The worm then checks for the presence of the following registry entry and exits if found:
HKEY_LOCAL_MACHINE\SOFTWARE\Soft\DownloadWWW\"auto" = "1"

If the above registry entry does not exist, the worm will create it as an infection marker.

The worm creates the following registry entry, to ensure it gets automatically executed at startup:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\"load" = "%Windir%\rundl132.exe"

The worm attempts to stop the following service:
Kingsoft AntiVirus Service

The worm then injects its DLL component, vDll.dll, into either iexplorer.exe or explorer.exe.

This DLL component will attempt to download a file from the following location:
www.17dk.com

The worm searches for .exe files to infect in all the drives from C to Y.

The worm prepends itself to any .exe files that it locates on the computer.

The worm creates the file _desktop.ini in any any directory it has searched for executable files in. This file has the hidden and system attributes set and it stores the date the worm was executed.

The worm will not infect .exe files in folders with the following names:
system
system32
windows
Documents and Settings
System Volume Information
Recycled
winnt
Program Files
Windows NT
WindowsUpdate
Windows Media Player
Outlook Express
Internet Explorer
ComPlus Applications
NetMeeting
Common Files
Messenger
Microsoft Office
InstallShield Installation Information
MSN
Microsoft Frontpage
Movie Maker
MSN Gaming Zone

The worm may send ICMP packets containing the string "Hello,World" to the following IP addresses:
192.168.0.30
192.168.8.1

It may also send ICMP packets to IP addresses in the same range as the IP address of the compromised computer.

If any computer responds to the ICMP packet, the worm attempts to open shared folders with the following names:
\\ipc$
\\admin$

The shared folder will have the username administrator and a blank password.

If the worm succeeds in opening the shared folder, it copies itself to that folder.

The worm then enumerates all the computers and shared folders in the local network. The worm uses a blank username and a blank password to open the shared folders.

The worm then searches for and infects .exe files in the shared folders.

Writeup By: Yousef Hazimee