Symptoms
File KASPERSKY.EXE in Windows directory (%WINDIR%)
Registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
with the value:
KasperskyAV = %WINDIR%\KASPERSKY.EXE
Removal instructions:
Let BitDefender delete all files found infected by this worm.
Analyzed By
Mihai NEAGU BitDefender Virus Researcher
Technical Description:
The mass-mailing worm comes by mail with an attachment file with a name formed using the following words:
my, priv, private, prv, the, best, super, great, cool, wild, sex, f*ck and
pic, img, phot, photos, pctrs, images, imgs, scene, plp, act, action and with one of the following extensions:
- .pif
- .scr
- .exe
- .jpg.scr
- .jpg.pif
- .jpg.exe
- .gif.exe
- .gif.pif
- .gif.scr
It copies itself to
%WINDIR%\KASPERSKY.EXE %WINDIR%\EE98AF.TMP and creates the registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run with the value:
KasperskyAV =
%WINDIR%\KASPERSKY.EXE and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer with the value:
Explorer3 =
0 It spreads itself by sending mail using its own SMTP (mail sending) engine, scanning the hard disk for e-mail addresses that are saved to the following file:
%WINDIR%\OUTLOOK.CFG Also attempts to attack the following websites:
- spews.org
- darkprofits.net
- darkprofits.cc
- darkprofits.com
The worm contains a text that is never displayed:
*** GLOBAL WARNING: if any free email company or hosting company will close/filter my email/site accounts, it will be DDoS'ed in next version. WARNING: centrum.cz will be DDoS'ed in next versions, coz they have closed my mimail-email account. Who next? ***
SHARE
THIS ON