IRC-Worm.DOS.Loa
IRC-Worm.DOS.Loa leads a double-life identity as both a real worm and a fake alert used by certain kinds of rogue anti-virus programs. The majority of recent IRC-Worm.DOS.Loa-related issues has been linked to false positive warnings created by Win 7 Anti-Virus 2011 and similar rogue PC threats. In cases where such a rogue isn't present, a real IRC-Worm.DOS.Loa infection can attack email-based functions and spread through network-shared folders and removable drives. Verify which type of IRC-Worm.DOS.Loa infection it is that you're dealing with, and then use an appropriate anti-malware scanner to remove IRC-Worm.DOS.Loa or the offending rogue security program.
The Potential Danger of a Real IRC-Worm.DOS.Loa Infection
If you get infected by IRC-Worm.DOS.Loa, you may not see obvious signs of its presence. However, you can detect IRC-Worm.DOS.Loa by using standard malware detection scans and noting unusual memory processes or excessive system resource usage. IRC-Worm.DOS.Loa can distribute itself through emails, networks and peripheral devices through the following methods:
- IRC-Worm.DOS.Loa may harvest your email addresses and use built-in functionality to send copies of itself to your contacts. You should avoid downloading strange files, even ones sent by known contacts, unless you know that the file is safe.
- IRC-Worm.DOS.Loa may also create hidden copies of itself and place them in various drives of your PC. This can include removable drives. A simple Autorun exploit will let IRC-Worm.DOS.Loa install itself on any new computer that plugs in the device.
- Finally, IRC-Worm.DOS.Loa may copy itself to network-shared folders and similar resources. The method of reproducing here is the same as the above, only it occurs whenever the relevant folder is accessed by a new computer on the network.
The end goal of a typical IRC-Worm.DOS.Loa infection is to allow remote attackers to control your computer. Consider all information on your PC at risk until you've taken appropriate measures to remove IRC-Worm.DOS.Loa.
The Dangers in a Fake IRC-Worm.DOS.Loa Infection
As of 2011, a fake IRC-Worm.DOS.Loa alert is far more common than a real IRC-Worm.DOS.Loa infection. False IRC-Worm.DOS.Loa detections are part of an overall scheme of false positive alerts used by a family of rogue security programs that include Win 7 Home Security 2011, XP Home Security 2011, Vista Home Security 2011, Win 7 Antivirus 2011, XP Antivirus 2011 and Vista Antivirus 2011 (among many, many others).
Other symptoms of a rogue security program that creates fake IRC-Worm.DOS.Loa alerts include browser hijacks, security applications that crash with fake infection messages and a wide variety of other false infection pop-ups. Win 7 Antivirus 2011 and other rogue security programs can't detect IRC-Worm.DOS.Loa or any other type of malware, and so you should feel comfortable about ignoring these alerts.
Removing either IRC-Worm.DOS.Loa or a rogue security program that creates fake IRC-Worm.DOS.Loa warnings should be done by switching to Safe Mode or a similar controlled environment and then launching a full system scan with a fully updated anti-malware program. Be certain to scan your entire computer, since IRC-Worm.DOS.Loa is known to reproduce rapidly and rogue security programs such as the ones noted above often come bundled with other PC threats.
File System Modifications
- The following files were created in the system:
# File Name 1 %AllUsersProfile%\random.exe 2 %AppData%\Local\ worm.dos.loa.exe 3 %AppData%\Local\random.exe 4 %AppData%\Roaming\Microsoft\Windows\Templates\ worm.dos.loa.20160.exe 5 %Temp%\ worm.dos.loa.12722.exe
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'HKEY_CURRENT_USER\Software\Classes\exefile "(Default)" = 'Application'HKEY_CURRENT_USER\Software\Classes\exefile "Content Type" = 'application/x-msdownload'HKEY_CURRENT_USER\Software\Classes\exefile\DefaultIcon "(Default)" = '%1'HKEY_CURRENT_USER\Software\Classes\exefile\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*' HKEY_CURRENT_USER\Software\Classes\exefile\shell\runas\command "(Default)" = '"%1" %*'HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"' HKEY..\..\..\..{RegistryKeys}HKEY_CLASSES_ROOT\.exe\DefaultIcon "(Default)" = '%1'HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = '"%UserProfile%\Local Settings\Application Data\.exe" /START "%1" %*' HKEY_CLASSES_ROOT\.exe\shell\open\command "IsolatedCommand" = '"%1" %*'HKEY_CLASSES_ROOT\.exe\shell\runas\command "(Default)" = '"%1" %*'HKEY_CLASSES_ROOT\.exe\shell\runas\command "IsolatedCommand" = '"%1" %*'HKEY_CLASSES_ROOT\exefile "Content Type" = 'application/x-msdownload'
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.