Win32/Lioten is a family of worms that spread via network shares. Early variants spread via network shares only, and had no payload, but modern variants can also spread by exploiting Windows vulnerabilities and act as IRC controlled backdoors. Lioten worms are often found packaged with variants of Win32.Ranck trojan .

This particular variant of Lioten is distributed as a 37,888 byte Win32 executable, that exhibits the following specific characteristics:

When executed this variant copies itself to the %System% directory as YIKYLOHI.EXE and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\azixegoira = "yikylohi.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\azixegoira = "yikylohi.exe"
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\azixegoira = "yikylohi.exe"

Note: '%Syste m%' is a variable location. The malware determines the location of the current system directory by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.

For more detailed information regarding the functionality of the Win32.Lioten family, please visit the Win32.Lioten description elsewhere in our encyclopedia .