Win32/Lanc [Threat Name] go to Threat
Win32/Lanc.A [Threat Variant Name]
Category | virus |
Size | 15000 B |
Aliases | Virus.Win32.Lanc.a (Kaspersky) |
W32.Lanc (Symantec) | |
W32/Generic.m (McAfee) |
Short description
Win32/Lanc.A is a prepending virus .
Installation
When executed, the virus copies itself into the following location:
- %windir%\crclan.exe (15000 B)
The following Registry entry is set:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "HideFileExt" = 1
File infection
Win32/Lanc.A is a prepending virus .
The virus searches local drives for files with the following file extensions:
- .doc
When the virus finds a file matching the search criteria, it creates a new copy of itself.
The name of the new file is based on the name of the file found in the search.
The filename has the following extension:
- .doc.exe
The original .doc file is appended to the newly created .exe file.
The virus deletes the .doc file.
When the infected file is executed, the original file is dropped to %temp%\%original_filename% .
The file is then executed.
Other information
The virus creates the following files:
- %temp%\~PD%random1%.tmp
- %temp%\~EX%random2%.tmp
A string with variable content is used instead of %random1-2% .