VBS/Soad-D

Please follow the instructions for removing worms.

VBS/Soad-D is a mass-mailing worm for the Windows platform.

VBS/Soad-D may attempt to send all emails in the users Outlook Inbox, with the original email and a subject line, with the word "KAT" prepending it, to a remote address.

When installed, VBS/Soad-D may copy itself to the following filenames:

C:\WinNT.Dat
C:\Windows\System32\KAT.vbs
C:\Winnt\System32\KAT.vbs
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Startup.vbs
C:\WINDOWS\Start Menu\Programs\Startup\Starup.vbs
C:\WINNT\Profiles\All Users\Start Menu\Programs\Startup\Startup.vbs
C:\KAT.vbs
C:\windows\system32\drivers\etc\KAT.vbs
C:\windows\system\KAT.vbs
C:\Documents and Settings\Administrator\Desktop\KAT.vbs
C:\My Downloads\KAT.vbs
C:\My Shared Folder\KAT.vbs
G:\KAT.vbs
H:\KAT.vbs
I:\KAT.vbs
J:\KAT.vbs
K:\KAT.vbs
L:\KAT.vbs
M:\KAT.vbs
N:\KAT.vbs
O:\KAT.vbs
P:\KAT.vbs
Q:\KAT.vbs
R:\KAT.vbs
S:\KAT.vbs
T:\KAT.vbs
U:\KAT.vbs
V:\KAT.vbs
W:\KAT.vbs
X:\KAT.vbs
Y:\KAT.vbs
Z:\KAT.vbs

The worm may also attempt to run the following commands:

Net User KAT KAT /add
Net localgroup administrators KAT /add

which has the capabilities to create a new administrator user named KAT.

VBS/Soad-D may create the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOwner
[KAT EYES]
[KAT EYES]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
KAT
KAT.vbs

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Systray
C:\WINDOWS\system\KAT.vbs

VBS/Soad-D may attempt to delete the following files:

C:\windows\notepad.exe
C:\windows\explorer.exe

If the current date is the 2nd, 13th, 15th, 19th, 20th or 24th, the worm may show the following message:

"Hello You Have The VBS/KAT Virus By [KAT EYES]"

and eject the CDROM.