Win32/Looked.BX
Date Published:
28 Nov 2006
Last Updated:
28 Nov 2006
Characteristics
Type: Worm
Category: Win32
Also known as: W32/Downloader.APEX (F-Secure), W32/HLLP.Philis.bs (McAfee), Win32.Looked.BX, Win32/Looked.CE!Dropped!Worm, W32.Looked.P (Symantec), W32/Looked-AV (Sophos), Worm.Win32.Viking.by (Kaspersky)
Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|---|---|
| 30.3.3217 | CA Antivirus 2007 | |
| 30.3.3217 | eTrust Antivirus v7/8* | |
| 23.73.68 | eTrust Antivirus v7/8* (InoculateIT Engine) | |
| 6.x/10081 | eTrust EZ Antivirus 6.x | |
| 7.x/3217 | eTrust EZ Antivirus 7.x | |
| 30.3.3217 | Vet 7 | |
| 10.6x/10081 | Vet Anti-Virus 10.6x |
Description
Win32/Looked.BX is a file-infecting worm that spreads via network shares. It has been distributed as a 90,112-byte, Win32 executable. It also drops a 24,064-byte DLL which is used to download and execute binary executables.
Method of Infection
When executed, Win32/Looked.BX copies itself to the following file locations:
%Windows%\uninstall\rundl132.exe
%Windows%\Logo1_.exe
The worm then makes the following registry modification so that the file "rundl132.exe" is executed at each Windows start:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\load = "%Windows%\uninstall\rundl132.exe"
Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Looked.BX drops the file "Dll.dll" into the %Windows% directory. The worm then injects code that loads this DLL into the "explorer.exe" and "IExplorer.exe" process space. This DLL is used to download and execute arbitrary files.
Method of Distribution
Via File Infection
Looked.BX recursively traverses directories of fixed drives from C:\ to Z:\. It starts from the root of the drive and infects files with an .exe extension as well as specific files listed in its code. The following is a list of files the worm targets:
ACDSee4.exe
ACDSee5.exe
ACDSee6.exe
AgzNew.exe
Archlord.exe
AutoUpdate.exe
autoupdate.exe
BNUpdate.exe
Datang.exe
editplus.exe
EXCEL.EXE
flashget.exe
foxmail.exe
FSOnline.exe
GameClient.exe
install.exe
jxonline_t.exe
launcher.exe
lineage.exe
LineageII.exe
MHAutoPatch.exe
Mir.exe
msnmsgr.exe
Mu.exe
my.exe
NATEON.exe
NSStarter.exe
Patcher.exe
patchupdate.exe
QQ.exe
Ragnarok.exe
realplay.exe
run.exe
setup.exe
Silkroad.exe
Thunder.exe
ThunderShell.exe
TTPlayer.exe
Uedit32.exe
Winrar.exe
WINWORD.EXE
woool.exe
zfs.exe
The worm prepends itself to a targeted file, increasing the file size by 90,112 bytes. The worm does not infect files greater than 16,777,216 bytes in length, or files located in subfolders with the following names:
system
system32
windows
Documents and Settings
System Volume Information
Recycled
winnt
\Program Files\Windows NT
\Program Files\WindowsUpdate
\Program Files\Windows Media Player
\Program Files\Outlook Express
\Program Files\Internet Explorer
\Program Files\ComPlus Applications
\Program Files\NetMeeting
\Program Files\Common Files
\Program Files\Messenger
\Program Files\Install Shield Installation Information
\Program Files\MSN
\Program Files\Microsoft Frontpage
\Program Files\Movie Maker
\Program Files\MSN Gaming Zone
The worm also creates a file called "_desktop.ini" in each directory it traverses. This file is a harmless text file containing the system date.
Via Network Shares
The worm tries to spread through network shares IPC$ and admin$ using the username 'administrator' and an empty password. It also tries a number of common username and password combinations which it carries with it, including an empty username and password.
The worm probes for potential targets by sending ICMP packets containing the data "Hello,World" to local IP addresses in the class C network range.
Payload
Downloads and Executes Arbitrary Files
The worm downloads a number of arbitrary files from the domain "zt01.com". It attempts to download a number of text files and executables. The binary executables are downloaded to one of the following file locations in the %Windows% directory:
SERVICES.EXE
SMSS.EXE
SVCHOST.EXE
WINLOGON.EXE
RUNDLL32.exe
EXPLORER.EXE
CSRSS.exe
LSASS.EXE
At the time of publishing, Looked.BX downloads two files which are detected by CA Antivirus solutions as Win32/Lineage and Win32/Niblenyo trojan variants.
Terminates Processes
Looked.BX terminates the following running processes:
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
IPARMOR.EXE
Ravmond.EXE
Ravmon.exe
regsvc.exe
mcshield.exe
Stops Service
The worm stops the following service if it is running on the system:
Kingsoft AntiVirus Service
Closes Window
Looked.BX searches for a window with the title "Ravmon.exe" and the class name "RavMonClass". If found, it closes this window.
SECURITY ADVISOR
Current threat condition:
Low
Documents and Tools
FIND THREATS
Viruses Spyware
Vulnerabilities News
SECURITY RESOURCES
Analyst Reports
- CA Identity and Access Management Suite (version 8) (139 KB PDF)
- IDC Report: Worldwide Hardware Authentication and Identity and Access Management 2005 Vendor Shares (74 KB PDF)
News
- Press
Deloitte & Touche LLP Demonstrates Use of CA's EITM Capability Solutions to Deliver Enterprise Business & Security Optimization - CA's New Unified Service Model Empowers IT to Drive Business Growth and Innovation
Insights
--
Zhipeng Zhang (Alan) BCompSc MInfoTech MACS(Prov)
"You must be the change you want to see in the world."
"Begin at the beginning and go on till you come to the end; then stop."
-- Lewis Carroll, Alice in Wonderland
