W32/Kipis-A

Category: Viruses and Spyware
Type: Win32 worm
Prevalence: Small Number of Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Kipis-A is a mass-mailing worm with backdoor functionality.

The worm sends itself to emails found in the Windows address book.

W32/Kipis-A will not send emails to addresses containing any of the following strings:
avp
icrosoft
msn.
panda
.mil
.txt
software.
hotmail
borlan
nodomai
.gov
.zip
.hlp
strike.
iruslis
foo.
gov.
mydomai
nai.c
google
fido
secur
syman
sopho
pgp
sendmail
mozilla
anyone
ripe.
rfc-
admin
support
antivir
newvir
listserv
accoun
delphiworld
podpiska
guninski
neohapsis
unix
linux
mailer
bitdef
postmaster
webmaster
privacy
msoe
latincards
bugtraq
service
contact
bugs
help
www.
notice
moco2k
register
soft
page
the.bat
rating
abuse
bigbrother
where
spm111
webmaney
site
info
news
confirm

Emails sent by the worm will have the following characteristics:

Subject line: one of -
Happy New Year
I Love You
Love

Message body: one of -
Server cannot send message
Hello! baby :)
--
3
4
localhost
<domain>

(where <domain> is the infected machine's domain name).

Attachment name: one of -
myfoto_04.scr
foto_03.scr
your present.scr

W32/Kipis-A copies itself to %Windows%\regedit.com and
%Windows%\security\svchost.exe.

The worm ensures that it is run at login time by creating the following registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
Shell
"Explorer.exe C:\WINDOWS\security\svchost.exe"

The first time it is run, the worm will create a damaged bitmap file named Jpg.bmp in the Windows system folder and open it with mspaint.exe.

W32/Kipis-A opens a backdoor on TCP port 1029. An attacker connecting to this port may use it to upload any file to winlogins.exe in the Windows system folder and execute it.

The worm attempts to avoid detection by terminating processes matching any of the following strings:
regmon.
filemon.
avmon
rfw.
skynet
svchosl.
dec25.
duba
nav
mcafee
kav
gate
symantec
winit.
rising
outpost
zonealarm
update
upgrade
systra.e
blackice
kerio
taumon
safe
___synmgr.
suchost.
nprotect
bscanx
maniac.
sphinx.
___r.
guard.
ewall
bupw.
frw.

download Try Sophos products for free
Download now