W32/Lolol-C

Please follow the instructions for removing worms.

Please read the instructions for removing Trojans.

W32/Lolol-C is a worm and a backdoor Trojan.

The worm component is primarily targeted at users running the KaZaA peer-to-peer application. The worm creates 88 copies of itself in the folders C:\Program Files\Kazaa Lite\My Shared Folder, C:\Program Files\Kazaa\My Shared Folder and C:\My Downloads.

The following list contains examples of the filenames used for the copies
of the worm:

100 free essays school.pif
age of empires 2 cheats.exe
aim cracker.exe
aim password cracker
anarchist cookbook.pif
aol cracker.exe
aol password cracker.exe
divx pro.exe
driver.exe
fireworks.exe
fuck.exe
GTA 3 Crack.exe
GTA 3 Serial.exe
gta3.exe
hondra screen saver.scr
HotGirls.exe
hotmail hack.exe
how to hack.exe
how to use a shell.pif
NBA 2003 Crack.exe
NBA 2003 serials.epif
NBA 2003.exe
pamela anderson screen saver.scr
play station emulator crack.exe
play station emulator.exe
porn screen saver.scr
steal usernames.exe
super mario bros.exe
super mario brothers.exe
supra screen saver.scr
ut 2k3.exe
ut 2k3.pif
virtua girl - completely nude.pif
virtua girl - jenn.pif
Virtua Girl (Full).exe
Virtua Sex.exe
warcraft 3 crack.exe
warcraft 3 serials.pif
winxp.iso.pif
worldbook.exe

The backdoor Trojan component will connect to an IRC server and join a channel where it will wait for commands issued by an attacker using that IRC channel. The commands will be interpreted by the server into actions to carry out on the host computer.

When first executed the worm will copy itself to the file C:\Windows\System\winsys.exe.

The following registry entries will be created to start the worm when Windows starts up:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Configuration Loader
HKLM\Software\Microsoft\Windows\CurrentVersion\
RunServices\Configuration Loader