Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

W32/Lazi

Feb 10, 2004 11:55PM PST

Date Discovered: 12/1/2003
Date Added: 2/10/2004
Origin: Unknown
Length: 17,408 bytes (packed)
Type: Virus
SubType: Internet Worm

This is a generic description for W32/Lazi. A few variants of this virus exists and the difference is in the IRC servers that they connect to, which is a hard-coded IP address in the virus body.

IRC Component:

After connecting to an IRC server, it enters a channel called #adfxdaxf2 using the username "Admin" and password "3r3r3r". After which, the following actions can be done:

Download and upload files from victim's PC.
Files can be remotely executed
Update existing virus to new versions.
Keylogger Component

This virus drops a keylogger component, kbdext32.dll (94.208 bytes)which is detected as Keylog-Laz . The log file created is sent to the author using its own SMTP engine. The following registry keys containing the mail configuration are added:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Internet Settings "IxIdnt"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Internet Settings "IxMail"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Internet Settings "IxServ"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion \Internet Settings "IxWind"
Contents of the email sent to the author is in the following format:


To: root@utility-carfax.com
From: admin@microsoft.com
Subject: Log requested from IRC
Attachment: Log.txt
Body: Look at me Wink

Backdoor Component

The virus also contains a backdoor component, which hacker's machine on port 11311.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101006

Discussion is locked