Lara
Lara
Type Email worm
Creator ZeMacroKiller98
Date Discovered 2000.11.27
Place of Origin France
Source Language C++
Platform MS Windows
File Type(s) .exe
Infection Length 52,737 bytes

Lara is a worm published in 29A magazine by ZeMacroKiller98 in France in late 2000. It plays on the popularity of the "Tomb Raider" video games and its attractive female protagonist, popular at the time of the worm's release. It can be very destructive, deleting .exe files in the windows folder, but in the end caused little damage to any actual computer outside of a lab.

Behavior

Lara arrives in an email with a subject line of "Lara Wallpaper Download Software". The message body is:

  Hi [name of addressee]

  I found on the net a new interesting software about Lara Croft.
  I send you because it's very cooooooool!!!
  Try it and say me your opinion about it

  See you soon and enjoy to have it
Lara1.png
 First message displayed by Lara

The attachment will either be named "Laracr ~ 1.EXE" or "LaraCroft.exe". When the attachment is run it displays a message, and another after the user clicks the "OK" button.

Laracroft checks for the existence of the registry key HKLM\Software\LaraCroft\Install, and if it finds it, does not go any further. If it does not find the key, it creates it and continues. The worm creates a copy of itself in the Desktop as "Laracr ~ 1.EXE" or "LaraCroft.exe". It adds its location as a value local machine RunServices registry key so it starts when the machine restarts.

Lara overwrites all .exe files in the windows folder with a copy of itself. On December 25, it is supposed to display the message (it is in the source code, but in our tests fails to work):

Lara2.png
Lara's second message
  Merry christmas by Lara Croft!!!!!!
  Hey, your PC is infected by new virus: Win32.LaraCroft

  Joyeux Noel de la part de Lara Croft!!!!!!
  Ton PC est infecté par Win32.LaraCroft fabriqué par ZeMacroKiller98
  Lara Croft like you, don't you

Name and Origin

Laracroft was named after a video game character popular around that time (games with Lara Croft are still produced along with a third movie supposedly in the works). It was coded by French virus coder ZeMacroKiller98, who published it in 29A.

Sources

LARACROFT.CPP

VSAntivirus, W32/Lara.worm. 2000.11.27

Trend Micro Antivirus, PE_LARA.A.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License