Johannesburg, 09 Jul 2002
The latest mass-mailing worm doing the rounds is the W32.Liac.A@mm worm which masquerades as a mail with a video clip attached. In the body of the mail the worm promises to let the recipient in on government secrets.
The existence of the worm was announced early this morning, and most of the anti-virus vendors have a version of the worm listed on their virus watch lists. Security vendor Symantec classifies the worm as a category three threat, with moderate infection rates, although its distribution is high.
Written in Visual Basic, the worm attempts to mail copies of itself to all of the addresses in the Windows address book when activated by the user. At the same time, it also modifies the registry to ensure it is re-run during the Windows startup sequence. When executed, the worm also displays the message "Error54: Media Player not installed correctly".
According to Symantec`s Security Response site, when the worm is received its subject line reads: "FW:FW: LILAC project video attach", and the attachment is "LILAC_WHAT_A_WONDERFULNAME.avi.exe" with an icon identical to that of an AVI sound file. The body of the message reads: "Things that the govt. dont want you to to know".
Other anti-virus vendors also reported the worm this morning. Sophos Anti-Virus identifies the worm as W32/Calil-A, while TrendMicro refers to the same code as Worm_Liac.A and lists the worm in its top viruses list.
Symantec says the worm has been packed using a known executable file packer and the size of the worm is about 12KB packed and 40KB unpacked.
Share