My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

VBS.Kagra.A@mm

HIGH
HIGH
7775 bytes
(N/A)

Symptoms

- It spreads through Outlook to all contacts in address book, as an email
with the attachment "JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs"
and the subject "Jenna Jameson pornostar
free superfuck+photo addresses"
;
- It writes in registry the key:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Wupdate"
in order to launch kernel32.vbs
(a virus copy) at the system restart;
-It copies itself as kernel32.vbs
in the %windows% folder (C:\Windows
or C:\Winnt).

Removal instructions:

If you don't have BitDefender installed click here to download an evaluation version.

1. Make sure that you have the latest updates using BitDefender Live!;

2. Make the following changes in the windows registry:

Please make sure to modify only the values that are specified. It is also recommended to
backup the Windows Registry before proceeding with these changes.


a) Select Run... from the Start menu, then type regeditand press Enter;
b) Delete following keys:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WUpdate"
and
"HKEY_LOCAL_MACHINE\SOFTWARE\Wupdate".

3.Perform a full scan of your system (selecting, from the Action tab, the option "Prompt user for action"). Choose to delete all the files infected with VBS.Kagra.A@mm.

Analyzed By

Mihaela Stoian BitDefender Virus Researcher

Technical Description:

It open a text file named "JENNA-JAMESON-FREE-SUPERFUCK.txt"
with "Notepad.exe". The
file content is:



"Here are some VERY interesting addresses
for SEX--SEX-SEX:

www.megap*ssy.com
www.f*ck.com
www.tits.com
www.porn.com
www.superf*ck.com
www.megati*s.com
ALSO IN WWW.NTUA.COM U CAN DOWNLAOD:JENNA JAMESON SUPERF*CK,

BILL GATES SMASHING HIS PC
IN ANGER,PAMELA ANDERSON+TOMY LEE
EXTRAF*CK VIDEO IN THE BOAT AND IN THE HOUSE,DEAD MAN BEING
F*CKED BY A WOMAN,THE WOMAN WITH A D*CK,THE LARGEST D*CK IN AFRICA,
A TIGER EATING HER KIDS,A DOG IS F*CKING MY AUNT,MATRIX 2:A SAMPLE
JULIA ROBERT\'S BL*WJOB,AND THE SPECIAL THEME FROM:
THE MOST TERRIBLE D*CKHOLE IN EAST,KAJAYAMI
Please,pass this message to everyone u know,and enjoy!"


On May the 12-th,
it opens an information message box with the text "Your
PC has been hacked by KaGra[ATZI virus ver 2.1]
"
and the title
"From the KaGra".


On May the 13-th it deletes the windows folder (C:\Windows or C:\Winnt).


It copies itself as "kernel32.vbs"
and "JENNA-JAMESON-FREE-SUPERF*CK.TXT.vbs"
in the %windows% folder (C:\Windows
or C:\Winnt),
as "ALEXIA.TXT.vbs"
in %system% folder (C:\Windows\system
or C:\Winnt\system32
),
as "Natasa.TXT.vbs"
in temporary folder (C:\Windows\system\temp
or C:\Winnt\system32\temp ).

It also copies itself on
the floppy disk as
"KISSme.TXT.vbs"
"PUSSY.TXT.vbs"
"FUCK.TXT.vbs"
"2TITS.TXT.vbs"
"myDICK.TXT.vbs"
"PORN.TXT.vbs"
"UFOxxx.TXT.vbs"
"ALIENS.TXT.vbs"
"theBAR.TXT.vbs" or
"DrDICK.TXT.vbs".

If the virus location is
the floppy disk, it copies itself as "C:\x-FUCK.TXT.vbs".
It writes in registry the key:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Wupdate"
in order to launch "kernel32.vbs" (a virus copy) at the system
restart.
It writes in registry
the key:

"HKEY_LOCAL_MACHINE\SOFTWARE\Wupdate"
in order to count the infections: it spread through Outlook only 5 times.

It spreads through the Outlook to all contacts in address book, as an email
with the attachment "JENNA-JAMESON-FREE-SUPERFUCK.TXT.vbs",
the subject "Jenna Jameson pornostar
free superfuck+photo addresses
"
and
the body
"Do you wanna see super pornostar,Jenna
Jameson,in a special
superf*ck?Double click on the attachment of this mail,and get
also some interesting sex-sex-sex addreses...
".