|Place of Origin||France|
|Infection length||52,737 bytes|
Lara is a worm published in 29A magazine by ZeMacroKiller98 in France in late 2000. It plays on the popularity of the "Tomb Raider" video games and its attractive female protagonist, popular at the time of the worm's release. It can be very destructive, deleting .exe files in the windows folder, but in the end caused little damage to any actual computer outside of a lab.
Lara arrives in an email with a subject line of "Lara Wallpaper Download Software". The message body is:
Hi [name of addressee] I found on the net a new interesting software about Lara Croft. I send you because it's very cooooooool!!! Try it and say me your opinion about it See you soon and enjoy to have it
The attachment will either be named "Laracr ~ 1.EXE" or "LaraCroft.exe". When the attachment is run it displays a message, and another after the user clicks the "OK" button.
Laracroft checks for the existence of the registry key HKLM\Software\LaraCroft\Install, and if it finds it, does not go any further. If it does not find the key, it creates it and continues. The worm creates a copy of itself in the Desktop as "Laracr ~ 1.EXE" or "LaraCroft.exe". It adds its location as a value local machine RunServices registry key so it starts when the machine restarts.
Lara overwrites all .exe files in the windows folder with a copy of itself. On December 25, it is supposed to display the message (it is in the source code, but in our tests fails to work):
Merry christmas by Lara Croft!!!!!! Hey, your PC is infected by new virus: Win32.LaraCroft Joyeux Noel de la part de Lara Croft!!!!!! Ton PC est infecté par Win32.LaraCroft fabriqué par ZeMacroKiller98 Lara Croft like you, don't you
Name and OriginEdit
Laracroft was named after a video game character popular around that time (games with Lara Croft are still produced along with a third movie supposedly in the works). It was coded by French virus coder ZeMacroKiller98, who published it in 29A.
VSAntivirus, W32/Lara.worm. 2000.11.27
Trend Micro Antivirus, PE_LARA.A.