Lilac - F-Prot Antivirus Virus Information

Virus Info > Virus Threats > Lilac

Summary of W32/Lilac
Alias:	I-Worm.Calil, Calil, W32/Lilac.A@mm, Liac
Discovered:	8 Jul 2002
Definition files:	8 Jul 2002

Jump to:

Brief description
Technical description
Removal Instructions

Brief Description

The Lilac worm first appeared on 8th of July 2002. The worm is written in Visual Basic and compressed with Petite file compressor. The size of compressed worm is 12208 bytes

Technical Description

When the worm's file is started it shows a fake error message


Error54: Media Player not installed correctly

The worm copies itself to TEMP folder of Windows, adds startup key for that file into System Registry and sends itself to all recipients of Outlook Address Book and Windows Address Book with the following message:


Subject: 

     FW:FW: LILAC project video attach

Body: 

     Things that the govt. dont want you to know

Attachment: 

     LILAC_WHAT_A_WONDERFULNAME.avi.exe

The worm has bugs in its code and can fail to send its attachment. In this case recipients will get an empty EXE file.

Also the worm changes Windows owner information to 'xEnOcrAtEs' and sets logon text to 'Owned by: xEnOcrAtEs'. The worm can display a message:


'Your PC is infected with LILAC virus by: xEnOcrAtEs'

Removal Instructions

Delete all LILAC_WHAT_A_WONDERFULNAME.avi.exe files from your hard drive and restart your computer. If the file can't be deleted from Windows (locked), you can delete it from pure DOS (if you have Windows 9x system) or you can rename it with a different extension and restart your system (in case you have NT-based system). After restart you will be able to delete the renamed file.

[Analysis: Alexey Podrezov; F-Secure Corp.; July 8th, 2002]

Virus Info by Platform

W32	Script	Macro
DOS	UNIX	All

Virus Info by Letter:

A	B	C	D	E	F
G	H	I	J	K	L
M	N	O	P	Q	R
S	T	U	V	W	X
Y	Z	All

F-PROT Antivirus Alerts

Stay up to date with important developments via e-mail.

Life cyle policy

Stay up to date with life cycle policies for F-PROT Antivirus for Windows.

Virus news and information directly to your desktop.

Glossary of Terms

Definitions of common antivirus terminology.

More Virus Info

For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)

Legal notices | Privacy policy | FRISK Software International © 1993-2009. All rights reserved.

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is 00a@eircom.net 0maaahonyy@eircom.net 950@eircom.net af@eircom.net am@eircom.net ar@eircom.net as@eircom.net b1@eircom.net boss3@eircom.net ceih@eircom.net cera@eircom.net chxe@eircom.net cs@eircom.net cydw@eircom.net d71@eircom.net dpfy@eircom.net dzuv@eircom.net ehpa@eircom.net epin@eircom.net f1@eircom.net fa@eircom.net fdld@eircom.net fdnv@eircom.net gacg@eircom.net gafj@eircom.net gc@eircom.net gz@eircom.net ha@eircom.net he@eircom.net ia@eircom.net ja@eircom.net k2@eircom.net lleahy6@eircom.net m1@eircom.net no@eircom.net pb@eircom.net qq@eircom.net r6oo@eircom.net ra@eircom.net s2@eircom.net t2@eircom.net ua@eircom.net va@eircom.net vb@eircom.net w2@eircom.net ww2@eircom.net xxxkiss@eircom.net y1@eircom.net ya@eircom.net zz@eircom.net