W32/Kipis-H is a mass-mailing worm with some backdoor functionality.
When first run the worm copies itself to the Windows folder as regedit.com, to the Windows system folder as netstat.com and to the Windows system\1035 folder as svchost.exe.
On Win9x systems the worm modifies the system.ini file adding the following entry to the [boot] heading:
Shell=Explorer.exe C:\Windows\System\1035\svchost.exe
On Windows NT and above systems the following registry entry is changed by the worm from:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe
to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe %SYSTEM%\1035\svchost.exe
W32/Kipis-H may also copy itself to folders with the word "share" in their name using one of the following filenames:
Teen sex(anal,oral).exe
XXX images.exe
Pamela Anderson xxx(anal).exe
Porno image(schoolgirls).exe
Deprivation virginity schoolgirl.exe
Sex,oral,anal,bdsm!.exe
Rape schoolgirl.scr
Virtual Girl 2.1.exe
Teen hardcore XXX.exe
Windows Longhorn screen.scr
The worm will search local drives for files with the following extensions from which it will attempt to harvest email addresses:
PL SHT ASP HTML FPT INB MBX PMR PHP OFT PAB EML XLS UIN TBB DBX DOC HTM ADB TXT
Emails generated by the worm have the following characteristics:
Subject line chosen from:
hi
here
your love
Happy Valentine's day
Happy day
your
Present
Valentine's day
Message text chosen from:
love you! :),congratulate!
I congratulate on the coming Valentine's day!
My gift to you.
With the coming Valentine's day!
I very much love you.
Please see my flash present :)
Attachment name chosen from the following and with an extension chosen from the list of (EXE, SCR and ZIP):
Valentine
love
flash love
present
your present
My nude_04
nude
Joke
porno_03
porn
W32/Kipis-H will also attempt to terminate various anti-virus and security related processes and open a backdoor on port TCP/1988.