1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. W32 Looked CreateFile Request

W32 Looked CreateFile Request

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects W32.Looked attempting to propagate through network shares.

Additional Information

When a file infected with W32.Looked is executed, it performs the following actions:

1. Terminates the Zone Alarm firewall and the following processes:
* Ravmon.exe
* EGHOST.EXE
* MAILMON.EXE
* KAVPFW.EXE
* IPARMOR.EXE

2. Drops a file named virDll.dll to the current folder.

3. Injects the dropped dll into Internet Explorer and downloads a password stealer from the www.lookde5.com, named 1.exe.

4. Searches for .exe files to infect in all the drives on the computer, from the C drive onward.

5. Will not infect .exe files in folders with the following substrings in their name:

* system
* windows
* Documents and Settings
* System Volume Information
* Recycled
* winnt
* \Program FilesWindows NT
* WindowsUpdate
* Windows Media Player
* Outlook Express
* Internet Explorer
* ComPlus Applications
* NetMeeting
* Common Files
* Messenger
* Microsoft Office
* InstallShield Installation Information
* MSN
* Microsoft Frontpage
* Movie Maker
* MSN Gaming Zone

6. May attempt to prepend itself to any .exe files that it finds on the computer, except those named "IEXPLORE.EXE" or "EXPLORER.EXE." The size of the infected files is increased by 62,976 bytes. Infected files have an icon that is similar to the one used for zip files.

7. Creates a copy of itself as %Windir%\Logo1_.exe.

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

8. Attempts to copy itself to IPC$ and ADMIN$ network shares, where the administrator or guest passwords are blank.

9. May send ICMP traffic containing the string "Hello,World" to 192.168.0.30 and 192.168.8.1.

Affected

  • Windows.

Response

Visit the Symantec Security Response Website for removal instructions

Additional References

  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube