Trojan.WinREG.Qoologic

Technical Details

This is the first known Internet-worm in the Logo language that is widely used by schools worldwide. The worm itself is a LGP file, that is, a Logo Project File. It can be executed with special interpreter software like SuperLogo for Windows.

The worm doesn’t spread by itself; rather it drops two different components:

• a VBS file to spread through e-mail a la LoveLetter
• an INI file to spread through IRC channels

It also drops a BAT file that writes a message on the screen during Windows startup. The message is:

You think Logo worms don’t exist? Think again!

The worm creates a VBS file in a Windows startup folder, thus, it will be executed automatically upon the next Windows startup. The scripts in the VBS file create and send a message via Outlook to every entry in the address book. These messages have:

Subject: Hey friends!
Body: Hello! Look at my new SuperLogo program! Isn’t it cool?
Attached file name: logic.lgp

An MIRC script in the worm’s INI file is very short, and just sends the worm’s LGP file to all users joining an infected channel.