high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 February 2006 18:40:23 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing infected executable files.
More Information
W32/Kamu-A is a link virus for the Windows platform.
When first run W32/Kamu-A copies itself to:
<Windows system folder>\itz.exe
<Windows system folder>\msvcrt.ocx
and creates the file <Windows folder>\loadme.exe which is also detected as W32/Kamu-A.
The following registry entry is set or modified, so that msvcrt.ocx is run when files with extensions of EXE are opened/launched:
HKCR\exefile\shell\open\command
(default)
<Windows system folder>\msvcrt.ocx "%1" "%*"
In this way W32/Kamu-A will intercept any EXE files that the user launches. W32/Kamu-A will then replace the original file with a copy of itself that contains a compressed image of the original file. When this infected file is subsequently run, the image of the original is temporarily written to disk and executed, before being deleted, such that the user may not notice the infection.
The following registry entry is created to run itz.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
itZ
itz.exe
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
Registry entries are created under:
HKCR\ocxfile\DefaultIcon\
HKCR\ocxfile\shell\open\command\
HKCR\scrfile\DefaultIcon\
|
