W32/Petik-K

Category: Viruses and Spyware Protection available since:02 Aug 2001 00:00:00 (GMT)
Type: Win32 worm Last Updated:02 Aug 2001 00:00:00 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Petik-K is an email-aware worm which pretends to be connected to the popular French TV show "Loft Story" in an attempt to spread further.

The worm copies itself to the Windows directory as loft_story.exe and to the Windows System directory as loft.exe. It changes WIN.INI so that loft.exe will run automatically each time when Windows is started. It then displays a message box with the title "Loft Story" and the body text "I'm fucking the Loft Story" before quitting.

When run from the Windows System directory, the worm creates the Registry key HKCU\Software\Microsoft\PetiK. It drops loft.htm (which Sophos Anti-Virus detects as Troj/Petik-K) into the Windows Startup directory, and waits for an Internet connection.

When the worm detects an internet connection it displays a message box with the title "Loft Story" and the text "Welcome to Internet !". It will then search for email addresses in *.htm* files in the internet file cache subdirectory and attempt to send itself to those addresses as an email attachment. The email has the following characteristics:

Subject: "Loft Story News..."
Message body: "The last video of the <Loft story> program"
Attached file: loft_story.exe

On 28th of any month the worm will set the registry keys

HKCU\Software\Microsoft\Internet Explorer
\Main\Start Page = "http://www.loftstory.fr"

HKLM\Software\Microsoft\Windows\CurrentVersion
\RegisteredOrganization= "LoftStory"

HKLM\Software\Microsoft\Windows\CurrentVersion
\RegisteredOwner = "Aziz, Kenza, Loanna, etc..."

It then displays the message "New Worm Internet coded by PetiK (c)2001".

The HTML file dropped by W32/Petik-K is detected by Sophos Anti-Virus as Troj/Petik-K and contains a VBScript that modifies the following registry keys:

HKLM\Software\Microsoft\Windows\CurrentVersion
\Run\ActiveX 1.0 = "C: \ActiveX.vbs"

HKCU\Software\Microsoft\Internet Explorer\Download Directory = "C:\".

It will also change the Registry entry for the Internet Explorer start page, setting it to download a VBScript file from http://www.ctw.net.

Note: W32/Petik-K is sometimes confused with the Loft Story hoax.

download Try Sophos products for free
Download now

© 1997 - 2012 Sophos Ltd. All rights reserved. Legal Privacy