W32/Lerpa-A is a worm for the Windows platform.
W32/Lerpa-A is sent as an email attachment, where the email has the following characteristics:
Subject line:
Orkut =)
Invite Orkut
Community Orkut
Download Orkut.exe
Orkut.com
Myself Orkut.com
You invite for Orkut
My Fotolog
My album fotolog
Fotolog.com
Create Fotolog GOLLLDD
Free Fotolog Gold
My Blog
My confisions Blog
V Blog
PowerCam
Flogao
Fotolog
Orkut!!!!!
Attached file:
zipped.rar.pif
When first run W32/Lerpa-A copies itself to any of the following folders:
C:\
C:\Windows
C:\Windows\Config
C:\Windows\System
C:\Windows\Temp
C:\WinNT
C:\WinNT\Config
C:\WinNT\System
C:\WinNT\Temp
W32/Lerpa-A copies itself with one of the following names:
common.com
common.exe
common.pif
common.scr
ini_file__.pif
load_me__.tmp
msfile.pif
Sexo.exe
Sexo.jpg.pif
system_load_.pif
zipped.rar.pif
W32/Lerpa-A creates the file C:\WinXp.html and sets this as the Desktop background.
Registry entries are created to execute some of the copies of W32/Lerpa-A when a user logs on:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<Name>
<Path to worm>
Where <Name> is one of the following:
Service Pack
Update for Windows
Winzip