high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | September 2007 (4.21) |
| Protection available since | 23 July 2007 15:11:33 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Kik-A is a worm and IRC backdoor Trojan for the Windows platform.
W32/Kik-A spreads via email.
W32/Kik-A runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.
W32/Kik-A includes functionality to:
- steal confidential information
- silently download, install and run new software, including updates of its software
- send notification messages to remote locations
- inject its code into other processes
When first run W32/Kik-A copies itself to the Windows system folder as printers.exe and drops a DLL to the Windows system folder with the filename notiffy.dll.
The file notiffy.dll is registered as a COM object, creating registry entries under:
HKCR\CLSID\{B37243A4-BF51-4604-B648-237A759F7845}
HKCR\CLSID\{9ED561ED-FFB1-4008-9643-D225082C82E0}
HKCR\CLSID\{61C00BEB-9641-4A13-9D1D-26ADD3EB2DEC}
HKCR\CLSID\{5ADE6B7F-BF6C-43DA-B29C-E3416FC6F919}
HKCR\CLSID\{0018E1CB-DC4C-49E3-B96E-E545D8C0DBE8}
The following registry entry is created to run code exported by notiffy.dll on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
printers
{61C00BEB-9641-4A13-9D1D-26ADD3EB2DEC}
|
