L0L at l0lw0rm
I was looking through a repository of malware source codes the other day when I noticed a pretty small rar package, only 11kb in size and decided to take a closer look. The package was called l0lw0rm.rar.
Some AV’s detect the worm as W32/Vora.worm!p2p, but it has a few other infection vectors as well. The author had added this comment to the beginning:
/*
* l0lw0rm by Ravo_5002
* spreads trough Thumbdrives, CD’s, mIRC and Peer 2 Pear clients
* Code can be used freely, as long as I am credited….
* 21st of June 2007
*/
So, let’s take a closer look on what it does. Right at the beginning of the WinMain routine it does the redpill check, created by Joanna Rutkowska, and instead of just cleanly exiting the routine if it detects a Virtual Machine it jumps into a routine called payload():
int payload(void) {
while(1) {
MessageBox(NULL, “YOU ARE iNFECTED BY RAVO_5002″, “Doomsday Has Come…”, MB_OK);
/* lame i know ;P */
}
return 0;
}
Yes Ravo, lame indeed. He also added a message to AV companies in the body of the worm:
volatile char* LOL = “Hello Antivirus makers. This is VXer Ravo_5002 speaking. Please call this virus W32.l0lw0rm. How the fuck do you make up these names anyways? -Rav”;
In case Ravo hasn’t fully understood it yet, VXers don’t get to choose the naming. Be happy that it got tagged as W32/Vora. You could’ve been worse off, trust me.
So, about the infection routines. The fabled “Peer 2 Pear” routine looks up the Kazaa shared folder and drops the malware in it under one of the following names:
- Windows.Activation.Crack.Final-ETH0.zip
- Windows.Live.Messenger.Beta.Serial.Generator-PARADOX.zip
- Virtua.Girl.Serial.Pack.wih.10.Girls-TorrentZ.zip
- MSN.Hacker.zip
- Hotmail.Hacker.zip
- Aim.Hacker.zip
- Counterstrike.Source.aimbot.zip
- Xbox.Live.Serial.Generator.zip
- Saddam.Hanging-NEW-VERSION!.zip
- XXX.Passes.Juli.2007.zip
The mIRC infection routine parses the installation path of mIRC from registry and adds a script into script.ini that will try to DCC send the worm to anybody who joins the same channel as the infected host. The zip-package that’s sent is named CHANNEL-RULES.zip and contains the malware named as RULES.TXT______________________________________.exe.
CD Infection routine drops the malware into \\Local Settings\\Application Data\\Microsoft\\CD Burning\\ and creates an autorun.inf file that will launch the exe if autoplay is enabled. This infection vector will of course work only if the infected host uses the CD burning software that comes with Windows so I suspect this isn’t really too effective way to spread.
Last, the thumbdrive infection routine. The worm scans the available drives every 6 seconds and checks whether the drive is removable. The routine skips A: and B: drives in an attempt to avoid floppy drives.
All the strings in the malware are protected by the highly efficient and fabled rot-13, which clearly shows the author to high skillz or whatever.
The worm also checks for the current date:
/* see if doomsday is there… */
char *date = getenv(”DATE”);
if((date == “10/07/2007″) || (date == “07/10/2007″) || (date == “7/10/2007″)) {
payload();
}
Funnily enough, if the date is _after_ 10th July 2007, the check obviously fails and the worm keeps on spreading forever. If the date is 10th July 2007, the worm will go into a loop for ever displaying a messagebox titled “Doomsday Has Come…” with “YOU ARE iNFECTED BY RAVO_5002″ in the body.
The name this worm uses to spread is protector.exe, but when it install it will drop itself in the USERPROFILE directory(NormallyC:\Documents and Settings\<user>) as svchost.exe and sets the hidden, system and readonly flags in the attributes.