Email-Worm.Win32.Calil

Class Email-Worm
Platform Win32
Description

Technical Details

Calil is an Internet worm spreading via the Internet as an attachment to infected email messages.

The worm sends out messages with the following properties:

Subject: FW:FW: LILAC project video attach
Attachment name: LILAC_WHAT_A_WONDERFULNAME.avi
Attachment size: 12208 bytes
Message body: Things that the govt. dont want you to know

Installation
When the worm is launched on a computer for the first time, it tries to copy itself to the following hard coded locations:

c:win98tempLILAC_WHAT_A_WONDERFULNAME.avi
c:windowstempLILAC_WHAT_A_WONDERFULNAME.avi.exe
c:win95tempLILAC_WHAT_A_WONDERFULNAME.avi.exe
c:winnttempLILAC_WHAT_A_WONDERFULNAME.avi.exe
c:winmetempLILAC_WHAT_A_WONDERFULNAME.avi.exe
c:winxptempLILAC_WHAT_A_WONDERFULNAME.avi.exe

Calil launches a copy of itself, automatically upon the restart of Windows by writing the following registry value:

HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Lilac=(one of the paths specified above)

Next the worm shows a fake error message:

Windows
Error54: Media Player not installed correctly

Replication
The worm gets e-mail addresses from the Windows and Outlook address books,
and sends infected messages to these addresses. It uses Outlook to send
infected messages.

Other
Calil changes the system registered owner information by writing the following registry values:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RegisteredOwner=xEnOcrAtEs
LegalNoticeCaption=Owned by:
LegalNoticeText=Owned by: xEnOcrAtEs

This forces Windows to show the following message when starting:

Owned by: xEnOcrAtEs