Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Internet Worms

Worm.Win32.Ladex.a

Aliases
Worm.Win32.Ladex.a (Kaspersky Lab) is also known as: W32/Ladex.worm (McAfee),   W32.Dalbug.Worm (Symantec),   Win32.HLLW.Ladex (Doctor Web),   W32/Ladex-A (Sophos),   Win32/Ladex.worm (RAV),   WORM_LADEX.A (Trend Micro),   Win32:Dalbug (ALWIL),   Worm/Ladex (Grisoft),   Win32.Ladex.A@mm (SOFTWIN),   W32/Ladex.A (Panda),   Win32/Ladex.A (Eset)
Description added Aug 16 2002
Behavior Internet Worm
Technical details

Ladex is a network worm, it is efficient only under Windows NT/2000/XP and it is distributed on local area networks. It is a Windows (PE EXE) file about about 275K in size and is written in Microsoft Visual C++.

Installation

Upon being launched the worm creates three copies of itself in the system directories: 

 %SystemRoot%\Help\DOSAPP.HLP
 %SystemRoot%\Inf\CDROM.SYS
 %SystemRoot%\Fonts\DOSOEM.FON

it also creates new hidden files that are components of the worm: 

 %SystemRoot%\SMSS.EXE
 %SystemRoot%\CSRSS.EXE
 %SystemRoot%\System32\LADY.EXE

Then it registers the files SMSS.EXE and CSRSS.EXE in the system registry so that they execute upon system reboot: 

 [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
  @="smss.exe"
  @="csrss.exe"

Next the worm registers itself as a system service with the name "TCP/IP NetBIOS Provider".

After the first reboot or restart of the service "TCP/IP NetBIOS Provider" the worm also copies itself into the file 

%SystemRoot%System32LMHSVC.EXE.

Spreading

The worm "touches" IP-addresses of a local network and tries to connect to network resources under the names 

IPC$ and Admin$.

While logged in as "Administrator". If possible, the worm copies itself onto the remote computer in the system directory: 

 "\\XXX.XXX.XXX.XXX\Admin$\System32\lmhsvc.exe"

Once this is done it registers itself on the remote computer and creates and starts the service "TCP/IP NetBIOS Provider ".

Invisibility

Using the additional components SMSS.EXE and CSRSS.EXE the worm tries to mask (hide)itself in the system. Both files ensure the functioning of the main module LMHSVC.EXE if for any reason it appears unloaded from memory. Besides these components it looks for REGEDIT - if REGEDIT is open it temporarily removes the keys in the system registry and restores them upon the closure of the REGEDIT application. Thus the worm achieves invisibility in the system registry.

Payload

The worm starts the joke program LADY.EXE which displays a set of creeping flies which can be "killed" with the mouse cursor.

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com