Date Discovered: 12/1/2003
Date Added: 2/10/2004
Origin: Unknown
Length: 17,408 bytes (packed)
Type: Virus
SubType: Internet Worm
This is a generic description for W32/Lazi. A few variants of this virus exists and the difference is in the IRC servers that they connect to, which is a hard-coded IP address in the virus body.
IRC Component:
After connecting to an IRC server, it enters a channel called #adfxdaxf2 using the username "Admin" and password "3r3r3r". After which, the following actions can be done:
Download and upload files from victim's PC.
Files can be remotely executed
Update existing virus to new versions.
Keylogger Component
This virus drops a keylogger component, kbdext32.dll (94.208 bytes)which is detected as Keylog-Laz . The log file created is sent to the author using its own SMTP engine. The following registry keys containing the mail configuration are added:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Internet Settings "IxIdnt"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Internet Settings "IxMail"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Internet Settings "IxServ"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Internet Settings "IxWind"
Contents of the email sent to the author is in the following format:
To: root@utility-carfax.com
From: admin@microsoft.com
Subject: Log requested from IRC
Attachment: Log.txt
Body: Look at me
Backdoor Component
The virus also contains a backdoor component, which hacker's machine on port 11311.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101006

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic