Virus

W32/Lolol.E

Analysis

  • Virus is 32bit, with a UPX compressed size of 17,440 bytes
  • Virus may attempt to copy itself to the local system if specific folders for file sharing application Kazaa exists – the virus uses the following folders and copies the files mentioned below into them
    C:\My Downloads\
    c:\program files\kazaa lite\my shared folder\
    c:\program files\kazaa\my shared folder\
    how to use a shell.pif
    Virtua Girl (Full).exe
    worldbook.exe
    HotGirls.exe
    Virtua Sex.exe
    fuck.exe
    GTA 3 Serial.exe
    GTA 3 Crack.exe
    gta3.exe
    driver.exe
    virtua girl - completely nude.pif
    virtua girl - bailey short skirt.pif
    virtua girl - adriana.pif
    virtua girl - ALL.pif
    virtua girl - bunny.pif
    virtua girl - Rebecca.pif
    virtua girl - jenn.pif
    virtua girl - courtney.pif
    virtua girl - mandy.pif
    virtua girl - hells angels.pif
    virtua girl - business woman.pif
    virtua girl - judith.pif
    virtua girl - wet and wild.pif
    virtua girl - vera.pif
    virtua girl - tennis girl.pif
    virtua girl - victoria.pif
    virtua girl - nikki.pif
    virtua girl - chole.pif
    virtua girl - melina black pepper.pif
    virtua girl - jammie williams.pif
    virtua girl - nikki taylor.pif
    virtual girl - completely nude.pif
    virtual girl - bailey short skirt.pif
    virtual girl - adriana.pif
    virtual girl - ALL.pif
    virtual girl - bunny.pif
    virtual girl - Rebecca.pif
    virtual girl - jenn.pif
    virtual girl - courtney.pif
    virtual girl - mandy.pif
    virtual girl - hells angels.pif
    virtual girl - business woman.pif
    virtual girl - judith.pif
    virtual girl - wet and wild.pif
    virtual girl - vera.pif
    virtual girl - tennis girl.pif
    virtual girl - victoria.pif
    virtual girl - nikki.pif
    virtual girl - chole.pif
    virtual girl - melina black pepper.pif
    virtual girl - jammie williams.pif
    virtual girl - nikki taylor.pif
    winxp.iso.pif
    super mario brothers.exe
    super mario bros.exe
    ut 2k3.pif
    ut 2k3.exe
    anarchist cookbook.pif
    NBA 2003 serials.epif <= typo by virus author
    NBA 2003 Crack.exe
    NBA 2003.exe
    play station emulator crack.exe
    play station emulator.exe
    warcraft 3 serials.pif
    warcraft 3 crack.exe
    100 free essays school.pif
    aol password cracker.exe
    aim password cracker. <= typo by virus author
    aol cracker.exe
    aim cracker.exe
    steal usernames.exe
    how to hack.exe
    divx pro.exe
    fireworks.exe
    fireworks serial.pif
    fireworks crack.exe
    porn screen saver.scr
    supra screen saver.scr
    hondra screen saver.scr
    pamela anderson screen saver.scr
    age of empires 2 cheats.exe
    age of empires 2.exe
    age of empires 2 help.exe
    age of empires 2 serial.pif
    age of empires 2 serials.pif
    age of empires 2 keygen.exe
    age of empires 2 crack.exe
    hotmail hack.exe
  • Using system DLL files, the virus may check to see if the computer is connected to the Internet by identifying the connected state and then send a broadcast message across the Internet that the system is vulnerable
  • Virus may copy itself into the Windows\System folder and then modify the system registry in order to load at Windows startup –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\
    Configuration Loader = winsys.exe

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\
    Configuration Loader = winsys.exe

  • Virus may attempt to bind a TCP port and act as a remote access Trojan