Threat Database Worms IRC-Worm.DOS.Loa


By Domesticus in Worms

IRC-Worm.DOS.Loa is a worm that allows a third party to gain access to your computer. Like most worms, IRC-Worm.DOS.Loa can replicate itself and spread quickly through a network, email, or directly through external devices. However, IRC-Worm.DOS.Loa's case is fairly peculiar. This malware threat is much more common as a fake infection than as an actual malware invasion. If you have a genuine anti-malware program installed on your computer detecting IRC-Worm.DOS.Loa, then ESG malware researchers recommend removing IRC-Worm.DOS.Loa from your computer immediately. However, it is much more common for a supposed IRC-Worm.DOS.Loa worm infection to be the result of a rogue security program detecting fake threats.

Most Cases of the IRC-Worm.DOS.Loa Worm Are Not Really True

Rogue security programs are malware applications designed to detect fake infections on a computer system, so they can then charge the victim to remove them. IRC-Worm.DOS.Loa is often detected by a very large number of rogue security programs, especially those that are variants of the Ppn.exe file. Some examples of fake security applications that display a false IRC-Worm.DOS.Loa worm infection include XP Antivirus 2011, Vista Antivirus 2011, Win 7 Antivirus 2011, XP Total SecurityVista Total Security and Win 7 Total Security. According to our ESG malware researchers, these fake security programs will usually display a fake scan of your computer system, and then display fake results, which often include a fake IRC-Worm.DOS.Loa worm infection and other fake Trojan infections lifted directly from virus encyclopedias and databases.

A Fake Case of the IRC-Worm.DOS.Loa Worm Can Be Just as Devastating as the Real One

According to ESG security researchers, any notifications coming from your computer claiming that an IRC-Worm.DOS.Loa Worm infection is present, should be treated seriously. A real IRC-Worm.DOS.Loa worm infection can cause your computer to become a hub for infection, which can infect any other computer with which IRC-Worm.DOS.Loa Worm comes into contact. A fake IRC-Worm.DOS.Loa worm infection will usually mean that a rogue security program is wreaking havoc on your system, changing your settings and hogging up system resources. Fortunately, the paths to dealing with a real case of IRC-Worm.DOS.Loa and a fake case caused by a rogue security program are the same. In both cases, ESG team of security researchers recommend starting up Windows in Safe Mode (press F8 during start-up.) Then, a genuine anti-malware program should tell you whether you have a real case of IRC-Worm.DOS.Loa or a fake security program. In both cases, if your security program is properly updated, it should be able to remove the problem.

File System Details

IRC-Worm.DOS.Loa creates the following file(s):
# File Name Detections
1. %AppData%\Local\random.exe N/A
2. %Temp%\ worm.dos.loa.12722.exe N/A
3. %AppData%\Roaming\Microsoft\Windows\Templates\ worm.dos.loa.20160.exe N/A
4. %AppData%\Local\ worm.dos.loa.exe N/A
5. %AllUsersProfile%\random.exe N/A

Registry Details

IRC-Worm.DOS.Loa creates the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'
HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'
HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'
HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'
HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'
HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"'


Most Viewed