1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: W32.Looked Activity

System Infected: W32.Looked Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempts by W32.Looked to connect to malicious websites which could result in remote code execution.

Additional Information

When a file infected with W32.Looked is executed, it performs the following actions:

1. Terminates the Zone Alarm firewall and the following processes:
* Ravmon.exe
* EGHOST.EXE
* MAILMON.EXE
* KAVPFW.EXE
* IPARMOR.EXE

2. Drops a file named virDll.dll to the current folder.

3. Injects the dropped dll into Internet Explorer and downloads a password stealer from the www.lookde5.com, named 1.exe.

4. Searches for .exe files to infect in all the drives on the computer, from the C drive onward.

5. Will not infect .exe files in folders with the following substrings in their name:

* system
* windows
* Documents and Settings
* System Volume Information
* Recycled
* winnt
* \Program FilesWindows NT
* WindowsUpdate
* Windows Media Player
* Outlook Express
* Internet Explorer
* ComPlus Applications
* NetMeeting
* Common Files
* Messenger
* Microsoft Office
* InstallShield Installation Information
* MSN
* Microsoft Frontpage
* Movie Maker
* MSN Gaming Zone

6. May attempt to prepend itself to any .exe files that it finds on the computer, except those named "IEXPLORE.EXE" or "EXPLORER.EXE." The size of the infected files is increased by 62,976 bytes. Infected files have an icon that is similar to the one used for zip files.

7. Creates a copy of itself as %Windir%\Logo1_.exe.

Note: %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

8. Attempts to copy itself to IPC$ and ADMIN$ network shares, where the administrator or guest passwords are blank.

9. May send ICMP traffic containing the string "Hello,World" to 192.168.0.30 and 192.168.8.1.

Affected

  • Windows
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube