high
Summary
Summary
Action- More Information
| Protection available since | 28 September 2003 09:46:45 (GMT) |
|---|---|
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please follow the instructions for removing worms.
Windows NT/2000/XP
You must first edit the following registry entries, if they are present. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Windows\load
HKLM\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon\shell
and remove any references to any file you deleted.
Each user has a registry area named HKEY_USERS\[code number indicating user]\. For each user locate the entries:
HKU\[code number]\Software\Microsoft\Windows\
CurrentVersion\Run\
HKU\[code number]\Software\Microsoft\Windows NT\
CurrentVersion\Windows\Run
HKU\[code number]\Software\Microsoft\Windows NT\
CurrentVersion\Winlogon\shell
and remove any references to any file you deleted.
Close the registry editor.
Reboot the computer then use the instructions for removing worms.
Windows 95/98/Me
Use the instructions for removing worms.
Edit Win.ini and System.ini
- At the taskbar, click Start|Run and type Sysedit.
- Bring Win.ini to the front. In the [windows] section, search for a line beginning with 'Run=' and delete any references to the files you removed. Delete only that reference, not any other text.
- Bring System.ini to the front. In the 'shell=' line in the [Boot] section, search for any references to the files you deleted. Delete only that reference, not any other text.
- Reboot your computer.
Other platforms
Please read the instructions for removing worms.
More Information
W32/Kullan-A is a complex worm with backdoor functionality that targets available network shared resources.
When executed the worm copies itself to the Windows system folder with the filename Services.exe and sets the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
or
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
and adds the full path to Services.exe to:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell
Running as a background process the worm uses the "net view" command to be able to drop a copy of itself to the Start Menu folder of the available computer using the computer name as a filename.
As a backdoor the worm provides access to confidential information such as OS type, keystroke logs and email details.
W32/Kullan-A may also change the Win.ini and System.ini files to make sure the worm will be executed at the next restart.
|
