Name: W32/Calil-A Aliases: W32/Lilac.A@mm, WORM_LIAC.A Type: Win32 worm Date: 8 July 2002 At the time of writing Sophos has received just one report of this worm from the wild. Description W32/Calil-A is an email worm which uses Microsoft Outlook to spread. The worm arrives in an email with the following characteristics: Subject line: FW: FW: LILAC project video attached Message text: Things that the govt. dont want you to know Attachment name: LILAC_WHAT_A_WONDERFULNAME.avi.exe. The icon of the attached file is identical to the icon of an AVI sound file. If the attachment is opened from Microsoft Outlook the worm runs and displays the fake error message "Error54:Media Player not installed correctly". The worm then sends itself to all contacts found in the Windows address book. W32/Calil-A adds or changes several registry entries. It adds the registry entry \HKLM\Software\Microsoft\Windows\CurrentVersion\ Run\Lilac so that the worm file runs during the Windows startup sequence. As a payload W32/Calil-A adds the registry entries \HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption and \HKLM\Software\Windows\Current\Version\Winlogon\LegalNoticeText so that the message box "Owned by xEnOcrAtEs" is displayed before the log-on dialog. More information about W32/Calil-A can be found at http://www.sophos.com/virusinfo/analyses/w32calila.html