high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | April 2008 (4.28) |
| Protection available since | 16 February 2008 22:01:07 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Kaikki-A is a network worm for the Windows platform with IRC backdoor functionality.
W32/Kaikki-A attempts to spread to available network shares with the filename test.exe.
W32/Kaikki-A may also attempt to spread over the DC++ P2P network.
When W32/Kaikki-A is installed it attempts to drop some of the following clean files:
C:\infect.txt
<Current Folder>\mylist
<Current Folder>\mylist2
<Current Folder>\mylist3
<path to mIRC client>czm.mrc
<path to mIRC client>czn.mrc
<path to mIRC client>czb.mrc
<path to mIRC client>perform.ini
<System>\texty
W32/Kaikki-A attempts to set the following registry entry to run itself automatically on startup:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
svchost
<path to worm>
W32/Kaikki-A attempts to terminate a number of processes, delete registry entries, and stop services related to security and anti-virus software.
W32/Kaikki-A attempts to change the access control lists (ACLs) for all files on the C, D and E drives, granting access to the users "everyone" and "kaikki".
W32/Kaikki-A attempts to modify the network user settings on the infectied computer.
W32/Kaikki-A attempts to change the "telnet" Windows service to make it run automatically on startup.
|
