Threat Encyclopedia

Subtitle

Virus, spyware, worms and other threat descriptions

Selected viruses, spyware, and other threats: sorted alphabetically

0-9
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
 

Win32/Lastword

Win32/Lastword  is a worm written in Visual Basic.  It spreads by means of files in attachments email messages in the environment of the Microsoft Outlook.  After the file in the attachment is started the worm copies itself into the directory c:\windows\ under one of the following names: Win_Update.exe, Posta_Update.exe, BiHNet.exe, Win32_Update.exe.
After that the worm sends its copies to all addresses of contacts from the Outlook address book.  The subject of the message is always Vazna informacija! (Important information) and in the body there is one of the three following texts:

Instalirajte ovu datoteku koja ce rijesiti problem TypeLib kod IE_5.0! Unaprijed hvala!
Postovani korisnice! Ovo je novi Update koji ce zastiti Vas kompjuter od internet crva! Da bi instalirali ovaj update molim pokrenite datoteku koja Vam je dosla uz attachment pod imenom
Cijenjeni korisnice! Update koji Vam je dosao kao attachment sluzi kao patch da bi ste se zastitili od mnogobrojnih internet crva i virusa!

After sending out its copies the worm tries to copy itself into root directories of all hard disks.  It creates the file c:\Windows\opomena.txt on the disk.  It ensures its activation after the system restart by creating the key in the system registry located in HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Lastword.
After the system restart it displays windows with messages.  After the first restart after the infection:

After the second restart:

And after the third restart:

At the first and the second restart it sends an email message with subject "Raport!" and the text in the body "...inficirao sam jos jednog GAZDA!" to the address gargamelaf@yahoo.com.  At the third restart the message subject is the same but the text in the body is changed to "...jos jedan kompjuter je podlegao, ali ovaj put to je nesto drugo ;)".  At this third restart the worm deletes the system file c:\windows\system.ini.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.