W32/Kullan-A

Category:	Viruses and Spyware	Protection available since:	30 Apr 2003 00:00:00 (GMT)
Type:	Win32 executable file virus	Last Updated:	30 Apr 2003 00:00:00 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Kullan-A is a complex worm with backdoor functionality that targets
available network shared resources.

When executed the worm copies itself to the Windows system folder with the
filename Services.exe and sets the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

or

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run

and adds the full path to Services.exe to:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

Running as a background process the worm uses the "net view" command to be
able to drop the copy to the Start Menu folder of the available computer using
the computer name as a filename.

As a backdoor the worm provides access to such confidential information
as OS type, keystroke logs and email details.

The worm may also change the Win.ini and System.ini files to make sure it
will be executed at the next restart.

Try Sophos products for free
Download now

W32/Kullan-A

Free Mac Anti-Virus

Popular topics