Win32/Looked.S

	Characteristics
	Type: Worm Category: Win32 Also known as PE_LOOKED.AH (Trend), W32.Looked.J (Symantec), Win32.Looked.S, Win32/Looked.S!DLL!Worm, Worm.Win32.Viking.j (Kaspersky)
	Immediate Protection Info
	eTrust Antivirus v7/8* (InoculateIT Engine) 23.72.52 View Removal Instructions eTrust Antivirus v7/8* (Vet Engine) 12.6.2279 View Removal Instructions eTrust EZ Antivirus 6.x 6.x/9851 View Removal Instructions eTrust EZ Antivirus 7.x 7.x/2279 View Removal Instructions Vet 7 12.6.2279 View Removal Instructions Vet Anti-Virus 10.6x 10.6x/9851 View Removal Instructions * Includes updates for InoculateIT and eTrust InoculateIT 6.0. Download Signature Files Scan For Viruses Cleaning Utilities Submit a Virus Sample

Description Method of Infection Method of Distribution Payload

Description

Win32/Looked.S is a file-infecting worm that spreads via network shares. It has been distributed as a 27,075-byte, Upack compressed, Win32 executable. It also drops a 23,040-byte DLL which is used to download and execute binary executables.

Method of Infection When executed, Win32/Looked.S copies itself to the %Windows% directory using the following filenames: rundl132.exe Logo1_.exe Note: '%Windows%' is a variable location. The malware determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows. It then modifies the registry so that the file "rundl123.exe" is executed at each Windows start: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load = "%Windows%\rundl132.exe" The worm then drops the DLL "vDll.dll" in the current directory. This is injected into the Explorer process and is used to download and launch processes inside Explorer's process space. The worm also creates the semaphore "SemaphoreMe" to ensure it runs only one instance of itself.