high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Characteristics |
|
| Protection available since | 10 October 2005 10:10:42 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please contact technical support.
More Information
W32/Kangaroo-B is a worm for the Windows platform.
W32/Kangaroo-B monitors windows, looking for ones with title bars containing text in the format (<drive letter>:) and attempts to copy itself to these drives with the filename kangen.exe. W32/Kangaroo-B is a worm for the Windows platform.
When first run W32/Kangaroo-B copies itself to:
<System>\ccApps.exe
<System>\winlog
The following registry entry is created to run winword.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccApps
<System>\ccApps.exe
The following registry entries may be set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1
W32/Kangaroo-B repeatedly copies itself and sets these registry entries.
W32/Kangaroo-B monitors windows, looking for ones with title bars containing text in the format (<drive letter>:) and attempts to copy itself to these drives with the filename kangen.exe.
If opened with a filename of "kangen", W32/Kangaroo-B will drop and open the file kangen.doc to the Windows system folder which contains the lyrics to a pop song in Indonesian in an html-formatted document.
W32/Kangaroo-B may set the following registry entry to prevent certain files from running on system startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
LoadService =
"Rest In Peace"
|
