FANDOM


LeChucK (Also know as WORM_VB.FKO by Trend Micro) is a worm created on August 29 of 2007. Mainly attacking systems with Windows XP, it was commonly found in the peer-to-peer sharing program called Ares Galaxy, software created back in 2002. The name of the worm is based of one of the characters with the same name of the graphic adventure of the saga Monkey Island (The character appeared as a pirate zombie). The worm was also commonly found in MSN. This malware commonly attacked countries in Latin America.

Payload

The worm will drop copies of itself in these directories:

%System%\cmd.com
%System%\LeChucK.exe
%System%\wins.exe
%Windows%\regedit.com
%Windows%\spolis.exe

It drops the following non-malicious files/components:

%System%\CC.dll
%System%\LeChucK.hta
%System%\zip32.dll

The worm will always run itself at start-up using these registry keys:

HKEY_CLASSES_ROOT\batfile\shell\open\command
(Default) = "%System%\wins.exe "%1" %*"
HKEY_CLASSES_ROOT\cmdfile\shell\open\command
(Default) = "%System%\wins.exe "%1" %*"
HKEY_CLASSES_ROOT\comfile\shell\open\command
(Default) = "%System%\wins.exe "%1" %*"
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) = "%System%\wins.exe "%1" %*"
HKEY_CLASSES_ROOT\piffile\shell\open\command
(Default) = "%System%\wins.exe "%1" %*"

This worm will also disable Task Manager, so the user can't end the process, the option using the Task Bar will appear blank and it will be un-clickable, it will also disable any anti-virus software, which makes the worm itself very hard to remove for an unexperienced user.

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
DisableRegistryTools = "1" (This disables any anti-virus software)

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
disabletaskmgr = "1" (This disables Task Manager)

It will also infect any USB that is connected to the infected computer, the worm drops an AUTORUN.INF files which will contain the following code:

OPEN=%windows%\Spolis.exe
shell\open=Abrir (Note: Abrir is Open in Spanish)
shell\open\Command=%windows%\Spolis.exe
shell\open\Default=1
shell\explore=Explorar (Note: Explorar is exploring in Spanish)
shell\explore\Command=%windows%\Spolis.exe

It will drop compressed copies of itself (In ZIP files), many of these files are in Spanish, which could mean the origin of the worm was in a Spanish/Hispanic country, this could explain why most of the infections were in these type of countries. You can also find these files in Ares Galaxy. They will be dropped in %ProgramFiles%\ICQ\Shared files folder.

The following files have the name of:

7-Zip 4.43.Zip
ACDSee 2.4.4.Zip
ACDSee Photo Manager.Zip
Acrobat Reader 7.0.Zip
Acrobat Reader 8.0 New.Zip
Ad-Aware 2007.PRO 7.0.1.6 Full.Zip
Adobe Acrobat Profesional 8.0.Zip
Adobe Audition 2.0 KEYGEN.Zip
adobe audition.Zip
Agnitum Outpost Firewall Pro 4.0.Zip
Aida 32.Zip
AIDA32.Zip
amv convert tool.Zip
Anonymous Surfing 7.3.Zip
AntiVir Personal 6.32.Zip
AnyDVD 6.1.3.6.Zip
Apariencia Windows Vista para XP.Zip
Ardamax Keylogger.Zip
Ares Lite 2.4.Zip
Ashampoo Firewall 1.01.Zip
Ashampoo WinOptimizer.Zip
Aspak 2.12.Zip
Audacity.Zip
Autocad Full Español.Zip
Avast Antivirus.Zip
AVG Anti-Spyware 7.5 Español.Zip
Batlefield 1942 Keygen.Zip
BearShare v7.8 Installer.Zip
BitComet.Zip
BitDefender 7 Español.Zip
BitTorrent 4.26.0.Zip
Cartoonist.Zip
Ciber Boss 4.2.Zip
CiberBoss 4.2.Zip
ClamWin 0.88.2.3.Zip
Cleaner v1.39.Zip
Clone CD 5.2 Installer.Zip
CloneCD v4.3.2.2.Zip
CloneDVD.Zip
Counter Strike 3 Install Online.Zip
Crear Virus en ASM.Zip
Crystal Player 1.9 FREE New.Zip
CuteFTP 6.5 Installe.Zip
CuteFTP.Zip
DAEMON Tools Pro.Zip
DeepFreezer.Zip
DirectX 9.0 c.Zip
Disk Cleaner.Zip
Divx v9.4 beta 2004 version.Zip
Download Acelerator Plus 8.3 Installer.Zip
Dr. Abuse 6.10.Zip
Dr. Web Install Online.Zip
Dreamweaver 8 Español.Zip
Easy CD-DA Extractor.Zip
Easy Gif Animator Crack All Version.Zip
Easy Gif Animator.Zip
Emoticones para Windows Live Messenger.Zip
Empire Earth 2 Crack.Zip
Emulador PS2 y PS3!.Zip
eMule 4 Installer.Zip
Encarta 2007.Zip
ePSXe 3.6.0.Zip
Everest Ultimate Edition 2006.Zip
EVEREST Ultimate Edition.Zip
Ewido freeware version.Zip
Exploit para IE 7.Zip
Fifa 2004 Keygen.Zip
Firefox Setup 4.5.exe.Zip
Flash 8 En Español.Zip
FlashGet 1.72.128.Zip
FlashGet.Zip
Fortinet Install.Zip
FrontPage 2007.Zip
Google Earth Pro.Zip
Google Earth.Zip
GTA 4 Vice City 2 New.Zip
Gta San Andreas Crack.Zip
Hacer Windows XP Original.Zip
Hacha PRO.Zip
Halo 2 Crack.Zip
HDD Regenerator 1.51.Zip
Hide IP Platinum.Zip
HP Photosmart Install.Zip
Icecold Reloaded.Zip
ICQ Lite Ultima Version.Zip
Idoser all drugs.Zip
iMesh v 4.8 Installer.Zip
Internet Explorer 7.Zip
iTunes 7.3.2.Zip
iTunes.Zip
Kaspersky Internet Security 6.0.2.621.Zip
Kaspersky.Zip
Kazaa Deluxe 2004.Zip
KazaA Download Accelerator v2.0.Zip
KillBox 2.0.0.648 .Zip
Lavasoft Ad-Aware 8.Zip
LeChucK.Zip
LimeWire Lite Deluxe Installer.Zip
Limewire Portable.Zip
LimeWire Pro.Zip
Macromedia Dreamweaver MX.Zip
Macromedia Flash MX.Zip
Macromedia Flash Player.Zip
McAfee Internet Security Suite 2007.Zip
McAfee Virus Scan.Zip
Media Player 11 Crackeado.Zip
Mess Patch.Zip
Messenger Plus.Zip
MessengerDiscovery.Zip
Microsoft defender.Zip
Mindsoft Utilities.Zip
mIRC 6.20.Zip
MIRC62.Zip
Mobile Phone Tools.Zip
Monkey Island I.Zip
Monkey Island II.Zip
Motorola Software.Zip
Mozilla Firefox.Zip
Mozilla Thunderbird.Zip
Msjavx86(Java).Zip
MSN Multisesion.Zip
MSN Plus 9.Zip
MSN Poligamy.Zip
My Drivers 3.22.Zip
MySQL Español-English.Zip
Need For Speed Underground 2 Crack.Zip
Nero Burning Rom.Zip
Nero Burning v7.3 Crack.Zip
NOD32 2.7 Español.Zip
Nod32 2.7.Zip
NOD32 Crack.Zip
Norton antivirus 2007.Zip
Norton Ghost 10 Español.Zip
Norton ghost.Zip
Norton Partition Magic 8.05.Zip
NTI cd-maker.Zip
OpenOffice.Zip
Opera 9.Zip
Paint Shop Pro CRACK.Zip
Panda Internet Security 2007.Zip
Parche Español para Winamp.Zip
Parche Need For Speed Underground.Zip
Partition Magic 8.0 CRACK.Zip
Partition Magic 8.0.Zip
Perfect Keylogger v1.535.Zip
Petite 23 Compresor.Zip
Photoshop CS3 Crack.Zip
Photoshop CS3 Traduccion.Zip
photoshop.Zip
PHP Nuke.Zip
Pokemon 2007 Español.Zip
QuickTime Pro 7.1.3.100.Zip
Rainbow Six 4 Keygen.Zip
real player.Zip
RealPlayer 8.Zip
ResHacker.Zip
Simpson Hit & Run Crack.Zip
Sims City 2006 Keygen.Zip
Sin Espias.Zip
Skype New Version.Zip
SmartFTP.Zip
SoulSeek v5.6 Installer.Zip
Soulseek.Zip
Spiderman MultiCrack.Zip
Spybot - Search & Destroy.Zip
Spyware Doctor .Zip
Sudoku 3D.Zip
System Mechanic Professional.Zip
Terminator 4 Keygen.Zip
The hacker Antivirus.Zip
The Sims 2 Keygen.Zip
Tiny Personal Firewall 6.5.126.Zip
Titan Poker.Zip
Total Commander.Zip
Trojan Remover.Zip
TuneUp Utilities 2007 Crack.Zip
UltraEdit-32 Profesional 11.0.Zip
Unlocker Ultimate Version.Zip
UPX 3.Zip
UserBar Generator.Zip
VIRTUALJ3.1.Zip
Vista Inspirat.Zip
VistaMizer.Zip
Visual Basic 8.Zip
VoipStunt.Zip
Warcraft 4 Keygen.Zip
WinAce 2.65.Zip
Winamp 5 5.32.Zip
Winamp 5.35 Pro.Zip
Winamp v8.1.Zip
WinAVI.Zip
Windows Live Messenger 8.5 BETA.Zip
Windows Live Messenger 8.5.Zip
Windows Media 11 Crack.Zip
Windows Media player 11.Zip
Windows Vista Activacion.Zip
WindowsBlinds 5.5.Zip
WinMX 5.1 New.Zip
Winrar 3.51.Zip
Winrar 3.62 Final Español.Zip
Winrar 7.4 Version Beta.Zip
Winzip 10.0.Zip
WinZip 11.Zip
Winzip 12 Beta.Zip
Yahoo Messenger v7.9.Zip
Yahoo Messenger.Zip
Your Uninstaller Pro.Zip
YouTube Catcher.Zip
YouTube Spider.Zip
ZoneAlarm 6.5.731.000.Zip

It will also access the following websites to download more files, like troyans (Just like a Backdoor)

This worm accesses the following Web sites to download files:

http://{BLOCKED}.eresmas.com/espana.starmedia.com/gratisweb
http://www.{BLOCKED}tadorgratis.es/count.php
http://www.{BLOCKED}smas.com/js/logs_sm.js
http://www.{BLOCKED}tisweb.com/mowpax/contador.htm

After the worm does all of this, trying to get rid-off the worm is very hard if the user didn't had any anti-virus beforehand, since the worm has a Keylogger that prevents the user for searching these words:

lechuck
virus
antivirus

It will also prevent the user to search any anti-virus name, any attempt of doing such action will make the worm close the browser. The worm also prevents the user of opening any anti-virus installer or software, any attempt of doing it will make the worm delete the file and also the file not executing. It can also make the executable an non-valid Win32 application. 

If the user has MSN, and enters it, it will show the sprite of LeChuck from Monkey Island with a message.

If the user enters My Documents the following message will appear in the title card of the window and then close the file explorer: "WIN32 LECHUCK IS HERE" 

References

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/archive/malware/worm_vb.fko

Community content is available under CC-BY-SA unless otherwise noted.