W32/Kipis-J

Please follow the instructions for removing worms.

W32/Kipis-J is a mass-mailing and peer-to-peer worm.

When first run the worm opens notepad.exe while it copies itself to the Windows folder as regedit.com and the created %SYSTEM%\1032 folder as svchost.exe.

On Win9x systems the worm modifies the system.ini file adding the following entry to the [boot] heading:

Shell=Explorer.exe C:\Windows\System\1032\svchost.exe

On Windows NT and above systems the following registry entry is changed by the worm from:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe

to:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe %SYSTEM%\1032\svchost.exe

W32/Kipis-J may also copy itself to folders with the string "share" or "\Microsoft Sh" in their name using all of the following filenames:

Windows 2000(source).c.exe
Kaspersky Antivirus(crack for all version).exe
ICQ Longhorn new! .exe
Ahead nero 9.exe
Windows 2003 crack.exe
RPC DCOM exploit new!(Win 2000/XP sp0,sp1,sp2/2003).cpp.exe
Worm.Beagle source.doc.exe
Jpeg exploit(source).c.exe
MS Office crack.exe
IE 6.0 exploit(src).exe

The worm will search local drives for files with the following extensions from which it will attempt to harvest email addresses:

PL SHT ASP HTML FPT INB MBX PMR PHP OFT PAB EML XLS UIN TBB DBX DOC HTM ADB TXT

Emails generated by the worm may have the following characteristics (some have random garbage for subject, body and attachment name):

Subject line chosen from:

Forum notify
Marihuana
Re: forum
Fw: chat
Re: Site password
Re: crack
#Forum report#

Message text chosen from:

;)
I Like You ;)
Thank you!
Marihuana have legalized!!!

Attachment names chosen from:

information.zip
#document.zip
details_txt.zip
word_pad.zip
text.zip
message.zip

W32/Kipis-J will also attempt to terminate various anti-virus and security related processes and open a backdoor on port TCP/9413