WORM_LEWOR.D

Malware type: Worm Aliases: No Alias Found In the wild: Yes Destructive: No Language: English Platform: Windows 95, 98, ME, NT, 2000, XP, Server 2003 Encrypted: No Characteristics: Propagates via instant messengers	Overall risk rating: Low Reported infections: Low Damage potential: High Distribution potential: Medium
Description: This worm propagates via MSN Instant Messenger. It sends messages containing a link that points to a copy of itself to available contacts in the MSN Instant Messenger of the affected user. The following are some of the URLs where this worm is downloaded: http://play.joyiex.c{BLOCKED}0.exe http://play.joyiex.c{BLOCKED}ie.exe http://play.joyiex.c{BLOCKED}e.htm Upon execution, it drops a copy of itself in the Windows folder. It also drops two copies of itself in the Windows system folder. For its autostart technique, it modifies the registry depending on the platform of an affected system. It also modifies specific registry entries to enable it to start whenever a .TXT file is opened. It creates a registry entry to disable the affected system's Task Manager. The affected user then has to use a third-party process explorer in order to terminate this worm. It also sets the home page and search page of the Internet Explorer of an affected system to http://www.joyiex.com by creating several registry entries. It also creates a registry entry to prevent the affected user from restoring the default home page settings while in Internet Explorer. This worm creates mutexes to ensure that only one instance of itself is running on a system. For additional information about this threat, see: Solution Technical Details Statistics source: trendmicro.com