W32/Dulkis-A is a worm for the Windows platform.
W32/Dulkis-A includes functionality to run automatically.
When W32/Dulkis-A is installed it creates the file <User>\<randomname>.exe.
The following registry entry is created to run <randomname>.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<randomname>
<User>\<randomname>.exe
The following registry entry is set:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0x00000000
W32/Dulkis-A copies itself to any attached removable storage devices.
W32/Dulkis-A copies files 9.tmp , xxx.dll and <randomname>.tmp on any attached removable storage devices. 9.tmp is detected as Mal/TDSSPack-Z . <randomname>.tmp is detected as Troj/Nebule-Gen. xxx.dll is detected as W32/Dulkis-A.
W32/Dulkis-A creates exploited link (.lnk) files to any attached removable storage devices. The exploited link files point to the file xxx.dll. The exploited link files are detected as Exp/Cplink-A .
W32/Dulkis-A creates link files (.lnk) on any attached removable storage devices. The link files point to a copy of W32/Dulkis-A on the removable storage device.