Win32/Calil.A is a worm spreading as a file in an attachment of electronic mail messages. It is written in Visual Basic and is compressed by the compressor Petite. Its length of 12208 bytes increases to 40960 bytes after being unpacked.
The electronic mail message in which Win32/Calil.A arrives has subject FW:FW: LILAC project video attach and in its body is the text Things that the govt. dont want you to know. Name of the file in the attachment is always LILAC_WHAT_A_WONDERFULNAME.avi.exe.
After the file in the attachment is run the following window with a fake erroneous message is displayed:

Then the worm tries to copy itself into a temporary directory of the Windows operating system. The worm is not detecting the directory it tries the following pre-defined directories instead:

c:windowstemp
c:win98temp
c:win95temp
c:winnttemp
c:winmetemp
c:winxptemp

The worm ensures that it will be activated after the operating system restart by means of creating the key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunLilac.
After that it sends, by means of Microsoft Outlook, e-mail messages with its copy to addresses found in Windows Address Book. At the end of its activity the worm alters values of some keys in the system registry:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRegisteredOwner is set to the value xEnOcrAtEs
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowCurrentVersionWinLogonLegalNoticeCaption is set to the value Owned by:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionWinLogonLegalNoticeText is set to the value Owned by: xEnOcrAtEs

In the worm body is visible the text Your PC is infected with LILAC virus by: xEnOcrAtEs.