Weekly Virus Report – Numan, Enegg and Lerok Worms

Numan spreads through the peer-to-peer (P2P) file sharing program KaZaA and the chat program mIRC. In order to spread through KaZaA, Numan changes the shared directory of this program to C:\WINDOWS, and creates multiple copies of itself in it.

Numan activates on the nineteenth of every month and deletes all the files with a SYS, DLL or COM extension from the Windows directory. As a result, the computer will stop working properly. Numan also looks for directories belonging to several antivirus programs and, if it finds them, it deletes all files in these directories.

The second worm in today’s report is Enegg, which spreads via e-mail in a message with variable characteristics and which includes an attachment called CYNTHIA.EXE, SERIAL.EXE or HUEVOS-CARTOONS.EXE.

When it is run, Enegg displays several messages in Spanish and deletes the installation directories of several antivirus programs and the files they contain. As a result, these applications will stop working, leaving the affected computer vulnerable to attack from other malicious code. Enegg also overwrites the following files, adding a VBS extension to their name: CMD.EXE, MSCONFIG.EXE, SYSEDIT.EXE. From then on, these files will have a double extension.

We are going to finish this report with Lerok, a worm that spreads via e-mail in a message with the subject “Mandar SMS Gratis!” and an attachment called SMSSENDER.EXE. This malicious code also sends itself out to all the addresses in the Contact List of the instant messaging program MSN Messenger.