W32/Kangaroo-A

Please contact technical support.

W32/Kangaroo-A is a worm for the Windows platform that usually has a Microsoft Word-related icon.

When first run W32/Kangaroo-A copies itself to:

<Windows system folder>\winlog.dat
<Windows system folder>\winword.exe

The following registry entry is created to run winword.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
OSA
<Windows system folder>\winword.exe

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

W32/Kangaroo-A repeatedly copies itself and sets these registry entries.

W32/Kangaroo-A monitors windows, looking for ones with title bars containing text in the format (<drive letter>:) and attempts to copy itself to these drives with the filename kangen.exe.

W32/Kangaroo-A attempts to modify the Windows start button to display its own scrolling message. This is either the lyrics to a pop song in Indonesian or, on certain dates, a birthday message.

If opened with a filename of "kangen", W32/Kangaroo-A will drop and open the file kangen.doc to the Windows system folder which contains the lyrics to a pop song in Indonesian in an html-formatted document.

Registry entries may be created under:

HKCU\Software\VB and VBA Program Settings\Pradana\setting\

W32/Kangaroo-A may set the following registry entries to prevent certain files from running on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
LoadService
"Rest In Peace"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SymRun
""

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
ccApps
""

W32/Kangaroo-A may attempt to rename the files systask.exe, ssEvtMgr.exe and ccApps.exe to garbageA, garbageB and xxx.MyOldBrother respectively.