W32/Katomik-A

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary


How it spreads	Network shares
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	18 November 2005 03:13:17 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

W32/Katomik-A is a worm for the Windows platform.

W32/Katomik-A spreads to other computers through network shares.

W32/Katomik-A disables the registry editor and task manager, and changes the Desktop wallpaper.

When first run W32/Katomik-A copies itself to:

\AtomicpartC.exe
<Windows>\K-set.bmp
<System>\Atomic-x27.exe
<System>\mastoer32.dll

and creates the file \@li-Rno.H.Bmp, which is a harmless image file.

The following registry entries are created to run AtomicpartC.exe and Atomic-x27.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Atomic-x27C
AtomicpartC.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Atomic-x27
<System>\Atomic-x27.exe

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entry is set:

HKCU\Control Panel\Desktop
wallpaper
@li-Rno.H.Bmp

Get reports about the latest virus and spyware threats delivered to your computer