W32/Kangaroo-A is a worm for the Windows platform that usually has a Microsoft Word-related icon.
When first run W32/Kangaroo-A copies itself to:
<Windows system folder>\winlog.dat
<Windows system folder>\winword.exe
The following registry entry is created to run winword.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OSA
<Windows system folder>\winword.exe
The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
W32/Kangaroo-A repeatedly copies itself and sets these registry entries.
W32/Kangaroo-A monitors windows, looking for ones with title bars containing text in the format (<drive letter>:) and attempts to copy itself to these drives with the filename kangen.exe.
W32/Kangaroo-A attempts to modify the Windows start button to display its own scrolling message. This is either the lyrics to a pop song in Indonesian or, on certain dates, a birthday message.
If opened with a filename of "kangen", W32/Kangaroo-A will drop and open the file kangen.doc to the Windows system folder which contains the lyrics to a pop song in Indonesian in an html-formatted document.
Registry entries may be created under:
HKCU\Software\VB and VBA Program Settings\Pradana\setting\
W32/Kangaroo-A may set the following registry entries to prevent certain files from running on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
LoadService
"Rest In Peace"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SymRun
""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ccApps
""
W32/Kangaroo-A may attempt to rename the files systask.exe, ssEvtMgr.exe and ccApps.exe to garbageA, garbageB and xxx.MyOldBrother respectively.