W32/Kenny-A

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Included in our products from	August 2004 (3.84)
Protection available since	16 June 2004 08:16:14 (GMT)
Detected by	All Sophos products

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entries. The removal of these entries is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RUNDLL0.exe = <windows>\\Zer0cculT0.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RUNDLL1.exe = <windows>\\Zer0cculT1.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RUNDLL2.exe = <windows>\\Zer0cculT2.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RUNDLL3.exe = <windows>\\Zer0cculT3.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
User32.DLL = <windows>\\<system>\\user32 .exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Advapi32.DLL = <windows>\\<system>\\advapi32 .exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KERNEL32.DLL = <windows>\\<system>\\Kernel32 .exe

and delete them if they exist.

Close the registry editor.

More Information

Summary
Action
More Information

W32/Kenny-A is a P2P worm that also copies itself to the available local drives.

When executed W32/Kenny-A initiates a process with the name
"MSN Messenger 6.3a", copies itself to the Windows folders with the filenames

Zer0cculT0.exe
Zer0cculT1.exe
Zer0cculT2.exe
Zer0cculT3.exe

and to the Windows system folder with the filenames

Kernel32 .exe
advapi32 .exe
user32 .exe

To make sure the worm runs at the restart W32/Kenny-A sets the registrty entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RUNDLL0.exe = <windows>\\Zer0cculT0.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RUNDLL1.exe = <windows>\\Zer0cculT1.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RUNDLL2.exe = <windows>\\Zer0cculT2.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
RUNDLL3.exe = <windows>\\Zer0cculT3.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
User32.DLL = <windows>\\<system>\\user32 .exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Advapi32.DLL = <windows>\\<system>\\advapi32 .exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
KERNEL32.DLL = <windows>\\<system>\\Kernel32 .exe

W32/Kenny-A copies itself to the root folder of the available local drives and to the shared folders of the number of the file sharing utilities with the filenames chosen
from

"MSN6.4.exe"
"PluginMSN.exe"
"Messenger7.0a.exe"
"MSN-iexplorer.exe"
"FreeWebcamMSN1.0.exe"

As a part of a payload W32/Kenny-A attempts to delete all files from the
following folders:

\Archivos de programa\Archivos comunes\KAV Shared Files\Bases\
\Program Files\Trend Micro\PC-cillin 2002\
\Archivos de programa\Archivos comunes\KAV Shared Files\
\Archivos de programa\Kaspersky Lab\Kaspersky Anti-Virus Personal\
\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\
\Program Files\McAfee\VirusScan\
\Archivos de Programa\McAfee\McAfee VirusScan\
\Archivos de programa\McAfee\VirusScan\
\Program Files\Norton AntiVirus\
\Archivos de programa\Norton AntiVirus\
\Archivos de Programa\Trend Micro\PC-cillin 2002\
\Archivos de Programa\Trend PC-cillin 98\
\Program Files\Trend PC-cillin 98\
\Program Files\Sophos SWEEP for NT\
\Archivos de Programa\Sophos SWEEP for NT\
\AntiViral Toolkit Pro\
\Program Files\Command Software\F-PROT95\
\Archivos de Programa\Command Software\F-PROT95\
\Toolkit\FindVirus\
\Program Files\Panda Software\Panda Antivirus Titanium\
\Archivos de Programa\Perav\
\Program Files\Vexira\
\Program Files\Eset\
\Program Files\Grisoft\AVG6\
\Archivos de Programa\Panda Software\Panda Antivirus Titanium\
\Program Files\Perav\
\Archivos de Programa\Vexira\
\Archivos de Programa\Eset\
\Archivos de Programa\Grisoft\AVG6\

Also W32/Kenny-A runs a hidden background Visual Basic window with the
message boxes that display the text chosen from the following:

' Yo, Zer0cculT, mover'
' tierra, mar y aire'
' para alcanzar mi destino'
' y con ilusi'
'n esperar'
' a que alguien me reprograme con un c'
'digo mas da'
' Viva el Codigo Abierto!!'

' No hace falta ser Dios para ver tu verdadero rostro'
' Yo me encargar'
' que la gente lo sepa todo'
' siempre superar'
' tus barreras'
' y te demostrar'
' que no me hacen falta agujeros de seguridad para colarme en tus peceras'
' aunque sea a largo plazo'
' viajando de byte en byte,'
' teletransport'
'ndome por medios extra'
' y multiplic'
'ndome en mi suite.'
' Quiza me ganes a mi'
' Pero no nos ganaras a todos.'

' <I hate Windows>'
' Fuck Bill Gates! Your software is a fucki'n shit! Fuck up the Windows!'
' Oh se'
'or todopoderoso Bill Gates,'
' Usted que se cree el Dios de la Mocosoft,'
'El mas ladr'
'n que jamas he visto!'
' Robaste los derechos a IBM en 1980'
' Y te aprovechaste de la situacion'
' empezando a trabajar en el "proyecto Windows".'
' Aunque te creas Dios,'
' Yo te ense'
' a ser un Dios derrotado,'
' Porque con la simplicidad de mi script, y mis pocos conceptos de programaci'
' he conseguido bloquear tu sistema inform'

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Kenny-A

Summary

Action

More Information