W32/Kaikki-A is a network worm for the Windows platform with IRC backdoor functionality.
W32/Kaikki-A attempts to spread to available network shares with the filename test.exe.
W32/Kaikki-A may also attempt to spread over the DC++ P2P network.
When W32/Kaikki-A is installed it attempts to drop some of the following clean files:
C:\infect.txt
<Current Folder>\mylist
<Current Folder>\mylist2
<Current Folder>\mylist3
<path to mIRC client>czm.mrc
<path to mIRC client>czn.mrc
<path to mIRC client>czb.mrc
<path to mIRC client>perform.ini
<System>\texty
W32/Kaikki-A attempts to set the following registry entry to run itself automatically on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchost
<path to worm>
W32/Kaikki-A attempts to terminate a number of processes, delete registry entries, and stop services related to security and anti-virus software.
W32/Kaikki-A attempts to change the access control lists (ACLs) for all files on the C, D and E drives, granting access to the users "everyone" and "kaikki".
W32/Kaikki-A attempts to modify the network user settings on the infectied computer.
W32/Kaikki-A attempts to change the "telnet" Windows service to make it run automatically on startup.