Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Calil.A

Aliases: W32/Liac

Win32/Calil.A is a worm spreading as an email file attachment.  It is written in Visual Basic and is compressed by the compressor Petite.  Its size of 12208 bytes increases to 40960 bytes after being unpacked.  The email message in which Win32/Calil.A arrives has subject FW:FW: LILAC project video attach and in its body is the text Things that the govt. dont want you to know. Name of the file in the attachment is always LILAC_WHAT_A_WONDERFULNAME.avi.exe.  After the attached file is run the following window appears with a fake erroneous message:

 

 

Then the worm tries to copy itself into a temporary directory of the Windows operating system. The worm is not detecting the directory it tries the following pre-defined directories instead:

c:\windows\temp
c:\win98\temp
c:\win95\temp
c:\winnt\temp
c:\winme\temp
c:\winxp\temp

The worm ensures that it will be activated after the operating system restart by means of creating the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Lilac.  After that it sends, by means of Microsoft Outlook, e-mail messages with its copy to addresses found in Windows Address Book.  At the end of its activity the worm alters values of some keys in the system registry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner is set to the value xEnOcrAtEs
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowCurrentVersion\WinLogon\LegalNoticeCaption is set to the value Owned by:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WinLogon\LegalNoticeText is set to the value Owned by: xEnOcrAtEs

In the worm body is visible the text Your PC is infected with LILAC virus by: xEnOcrAtEs.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this encyclopedia may be reproduced, transmitted or used in any other way in any other form or by any means without prior permission from Eset.