W32/Krisworm-A

Please follow the instructions for removing worms.

Check your administrator passwords and review network security.

Delete any unwanted dropped files.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
xxcm= <Windows fonts>\fonts\sys.exe

and delete it if it exists.

Close the registry editor.

W32/Krisworm-A is a worm which spreads by targeting computers with weak administrator and user passwords.

The worm installs several files in the fonts subfolder of the Windows fonts folder, and adds the registry entry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
xxcm= <Windows fonts>\fonts\sys.exe

The malicious files installed by the worm are:
darkhell
fgr.bat
finger.ins
hema.exe
never.bat
s.c
too1.exe
man.bat (detected by Sophos Anti-Virus as Troj/Noshare-N)

The worm also installs the following files which are not malicious :

• a.q - a list of words
• bd.exe - a utility used for hiding windows
• dex.exe - a networking utility used for running processes on other computers
• fhgh.cca - a text file containing a counter
• kern.exe - a utility that list running processes
• Sys.exe - a copy of the mIRC chat client.
• x.xx - a text file containing a list of IP ranges

W32/Krisworm-A attempts to copy itself to the admin$ share on remote computers and execute the copy. The worm acts as a backdoor and IRC proxy server, allowing a remote attacker to control the infected computer.