high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 9 February 2005 06:03:06 (GMT) |
| Last updated | 2 January 2006 16:28:32 (GMT) |
| Detected by | All Sophos products |
Sophos beta program
- Endpoint Security and Control 9.0
- Small business solutions 4.0
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.
Close the registry editor.
Editing System.ini
At the taskbar, click Start|Run and type Sysedit. Bring System.ini to the front. In the 'shell=' line in the [Boot] section, search for any references to the files you deleted. Delete only that reference, not any other text.
Reboot your computer.
More Information
W32/Kipis-H is a mass-mailing worm with some backdoor functionality.
When first run the worm copies itself to the Windows folder as regedit.com, to the Windows system folder as netstat.com and to the Windows system\1035 folder as svchost.exe.
On Win9x systems the worm modifies the system.ini file adding the following entry to the [boot] heading:
Shell=Explorer.exe C:\Windows\System\1035\svchost.exe
On Windows NT and above systems the following registry entry is changed by the worm from:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe
to:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe %SYSTEM%\1035\svchost.exe
W32/Kipis-H may also copy itself to folders with the word "share" in their name using one of the following filenames:
Teen sex(anal,oral).exe
XXX images.exe
Pamela Anderson xxx(anal).exe
Porno image(schoolgirls).exe
Deprivation virginity schoolgirl.exe
Sex,oral,anal,bdsm!.exe
Rape schoolgirl.scr
Virtual Girl 2.1.exe
Teen hardcore XXX.exe
Windows Longhorn screen.scr
The worm will search local drives for files with the following extensions from which it will attempt to harvest email addresses:
PL SHT ASP HTML FPT INB MBX PMR PHP OFT PAB EML XLS UIN TBB DBX DOC HTM ADB TXT
Emails generated by the worm have the following characteristics:
Subject line chosen from:
hi
here
your love
Happy Valentine's day
Happy day
your
Present
Valentine's day
Message text chosen from:
love you! :),congratulate!
I congratulate on the coming Valentine's day!
My gift to you.
With the coming Valentine's day!
I very much love you.
Please see my flash present :)
Attachment name chosen from the following and with an extension chosen from the list of (EXE, SCR and ZIP):
Valentine
love
flash love
present
your present
My nude_04
nude
Joke
porno_03
porn
W32/Kipis-H will also attempt to terminate various anti-virus and security related processes and open a backdoor on port TCP/1988.
|
