- 15 April 2006
- 16 April 2006
- Also Known As:
- WORM_LUPAR.A [Trend], W32.Lupar.A [Symantec], MSIL/Lupar [McAfee]
- Systems Affected:
MSIL.Lupar.A is a worm that opens a back door and spreads via file sharing programs.
This threat has been renamed from W32.Lupar.A to MSIL.Lupar.A.
MSIL.Lupar.A is a worm that opens a back door and spreads through network shares and via file sharing programs.
Once executed, the worm creates the following file in a randomly chosen existing folder:
The worm also creates the following registry subkey where it will store information about the worm:
The worm then creates the following folder:
The worm recursively scans all folders for .JPG files containing the following strings, if found they are moved to the above mentioned folder and given an indexed name:
Photo By Carl - Pedo
The worm logs the following information about the compromised computer to the file %System%\[RANDOM FILE NAME].txt:
Operating system version
Time the worm was executed
All the *.JPG files moved
The worm opens a back door by connecting to the following FTP server, and uploads the above mentioned log file:
The worm will add the following registry value if any .JPG files were moved:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\"shutdown" = "cmd.exe /c shutdown -f"
The worm spreads by copying itself to Kazaa, eDonkey and DCPlusPlus file sharing folders with the following names:
Pedo - 2 13yo girl masturbating 14yo boy.jpg.exe
preteen - Emily 7yr pedo fuck.jpg.exe
NEW! 2_Pedo Pedofilia Kids Child Porn 666.jpg.exe
2 9yo girls and 12yo boy.jpg.exe