Worm.SymbOS.Lasco.a (Kaspersky Lab)
is also known as:
SymbOS.Lasco.A (Symantec), SYMBOS_VLASCO.A (Trend Micro), Worm/SymbOS.Cabir.f (H+BEDV), SymbOS/Cabir.H (Grisoft), SymbOS/Lasco.A.worm (Panda)
| Detection added |
Jan 11 2005 |
| Description added |
Jan 11 2005 |
| Behavior |
Internet Worm |
Worm.SymbOS.Lasco.a is a worm capable of infecting PDAs and mobile phones
running under Symbian OS. Lasco spreads to executable files [SIS archives] on
the infected device, making it the first virus for this platform.
Lasco.a was written by the author of the most recent versions of Worm.SymbOS.Cabir
and based on Cabir's source code. Lasco.a replicates via BlueTooth in the same
way as Cabir does.
In addition to replicating via BlueTooth, Lasco.a also infects files. When
executing, it scans the disk for SIS archives, and attempts to infect these
files found by inserting its code.
Lasco.a has been developed in two ways: one is an application for the Win32
platform, which infects SIS files, and the other is for the Symbian platform.
- velasco.sis is 15750 bytes in size, and contains the code of the virus itself
- sisinfect.exe is 69632 bytes in size, and is an infector developed for Windows.
This file will scan local disks for SIS files and infect them by inserting the
contents of velasco.sis.
- marcos.sis is 1579 bytes in size and contains a module, marco.mdl, which
installs velasco.sis into the Symbian autostart system.
The virus file will be located in the following mobile device directories:
C:\\SYSTEM\\SYMBIANSECUREDATA\\VELASCO\\
The autostart file is located in:
C:\\SYSTEM\\RECOGS\\MARCOS.MDL.
