FRISK Software International

Summary of W32/Lilac
Alias:I-Worm.Calil, Calil, W32/Lilac.A@mm, Liac
Discovered: 8 Jul 2002
Definition files: 8 Jul 2002
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description

The Lilac worm first appeared on 8th of July 2002. The worm is written in Visual Basic and compressed with Petite file compressor. The size of compressed worm is 12208 bytes

Technical Description

When the worm's file is started it shows a fake error message

Error54: Media Player not installed correctly

The worm copies itself to TEMP folder of Windows, adds startup key for that file into System Registry and sends itself to all recipients of Outlook Address Book and Windows Address Book with the following message:


     FW:FW: LILAC project video attach


     Things that the govt. dont want you to know



The worm has bugs in its code and can fail to send its attachment. In this case recipients will get an empty EXE file.

Also the worm changes Windows owner information to 'xEnOcrAtEs' and sets logon text to 'Owned by: xEnOcrAtEs'. The worm can display a message:

'Your PC is infected with LILAC virus by: xEnOcrAtEs'

Removal Instructions

Delete all LILAC_WHAT_A_WONDERFULNAME.avi.exe files from your hard drive and restart your computer. If the file can't be deleted from Windows (locked), you can delete it from pure DOS (if you have Windows 9x system) or you can rename it with a different extension and restart your system (in case you have NT-based system). After restart you will be able to delete the renamed file.

[Analysis: Alexey Podrezov; F-Secure Corp.; July 8th, 2002]

Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:


perComp Verlag
(in German)