W32/Kik-A is a worm and IRC backdoor Trojan for the Windows platform.
W32/Kik-A spreads via email.
W32/Kik-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Kik-A includes functionality to:
- steal confidential information
- silently download, install and run new software, including updates of its software
- send notification messages to remote locations
- inject its code into other processes
When first run W32/Kik-A copies itself to the Windows system folder as printers.exe and drops a DLL to the Windows system folder with the filename notiffy.dll.
The file notiffy.dll is registered as a COM object, creating registry entries under:
HKCR\CLSID\{B37243A4-BF51-4604-B648-237A759F7845}
HKCR\CLSID\{9ED561ED-FFB1-4008-9643-D225082C82E0}
HKCR\CLSID\{61C00BEB-9641-4A13-9D1D-26ADD3EB2DEC}
HKCR\CLSID\{5ADE6B7F-BF6C-43DA-B29C-E3416FC6F919}
HKCR\CLSID\{0018E1CB-DC4C-49E3-B96E-E545D8C0DBE8}
The following registry entry is created to run code exported by notiffy.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
printers
{61C00BEB-9641-4A13-9D1D-26ADD3EB2DEC}