Arrival and Installation
This worm arrives on a system as an attachment to an email message or may be dropped into the root folder of a drive.
Upon execution, it drops a copy of itself on an affected system, as follows:
(Note: %System% is the Windows system directory which is usually C:\Windows\system in Windows 95, 98 and ME, C:\Windows\system32 in Windows XP and C:\WINNT\system32 in Windows NT and 2000. %Windows% is the Windows directory which is usually C:\Windows in Windows 95, 98, ME and XP and C:\WINNT in Windows NT and 2000.)
It also drops its payload component in the Windows system folder as the file REG_32.VBS. This dropped file is detected by Trend Micro as VBS_ASSIRAL.A.
It also drops the text file, C:\(-L4r1$$4-)(-W4z-)(-H3r3-).txt, which contains the following strings:
1f u h4v r3z34v3d d1z m3zz4g3 d3n ur c0mput3r h4z b33n inf3ct3d
by d4 L4r1$$4 v1ruz! D1z 1z d4 s3c0nd v3rz10n 0f w0rm :-) !!!!
Gr33tz by - L4r1$$4 4uth0r -- 2/19/05
It creates the following registry entries to enable its dropped files to run automaticcally at each Windows startup:
MS LARISSA = "%System%\MS_LARISSA.exe"
-=%20(L4r1$$4)%20=-(4nt1)-=%20(V1ru$)=-%20 = "%Windows%\ISASS.exe"
Windows Boot Log = "%Windows%\WinBoot.exe"
Windows Proxy Server = "%System%\WinProx32.exe"
This worm propagates through network shares by dropping a copy of itself in the root directory of all network and fixed drives as the file MS_LARISSA.EXE.
This worm may also propagate via email messages by sending a copy of itself to all email addresses contained in files with extension names that start with HT.
The email that it sends out has the following details:
Subject: (any of the following)
� Check my Pic out....
� IM SEXY!!!
� LOVE YOU!!!!
� Microsoft Update: MS_LARISSA
� My Profile
� MY SEXY PIC!!!
� PLZ READ
� PLZ READ!
� PRIVATE MSG!!
� Re: I LOVE YOU
� Re: LOV YA!!
� Windows Update: LARISSA
� Windows Update: MSKERNEL32.dll
� Your DOCUMENTS
Message Body: (any of the following)
� Please download the latest Microsoft Update: MS_LARISSA.
� The message is in the attachments.
� CHECK MY PIC OUT
� Check out MY SEXY PIC
� Private message: located in attachments
� XXX FILEZ IN ATTACHMENTS
� Check my profile out
� The DOCUMENTS you requested are in the attachments.
� LMAO CHECK THIS OUT.
� README located in the attachments.
� Plz read the attached msg.
� Free Porn passwords
� The latest update is in the attachments: LARISSA
� IM SO SEXY CHECK MY PIC OUT
� Windows Update: MSKERNEL32.dll is located in the attachments
� PLZ READ
� My letter is in the attachments :-)
� The secret msg is in the attachments
� Please read and reply to my LOVE LETTER in the attachments!
Attachment: (any of the following)
This worm can also terminate the following processes, which are mostly associated with antivirus and security applications:
This worm has a destructive payload of deleting .DLL files from the following folders:
Analysis By: Michael Stephen Tonido