W32/Kipis-U

Please follow the instructions for removing worms.

Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry, if it is present. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell

it should contain a reference to explorer.exe (or possibly NALWIN32.exe if you are using NetWare) only. Remove any reference to any file you deleted. You may need to replace the reference to explorer.exe.

Close the registry editor.

W32/Kipis-U is an email and network share worm and backdoor for the Windows platform.

W32/Kipis-U sends itself by email to addresses found on the hard disk of the infected computer.

Email sent by the worm has a subject line, message text and attachment name in one of 6 languages, English, French, German, Russian, Spanish or Ukrainian. The language is chosen according to the domain of the email recipient.

W32/Kipis-U runs continuously in the background, providing a backdoor server which allows a remote intruder to upload and run arbitrary programs on the infected computer. W32/Kipis-U is an email and network share worm and backdoor for the Windows platform.

W32/Kipis-U sends itself by email to addresses found on the hard disk of the infected computer in files with the following extensions :

ADB
DBX
DHTM
DOC
EML
HTM
MSG
PAB
PHP
SHTM
TBB
TXT
UIN
WAB
XLS

The worm avoids sending email to addresses containing any of the following strings:

@avp.
@bitdefen
@borlan
@drweb
@fido
@foo
@iana
@ietf
@kasper
@klamav
@license
@mcafee
@messagelab
@microsof
@mydomai
@nod3
@nodomai
@norman
@panda
@rfc-ed
@somedomai
@sopho
@symante
@usenet
@virusli
abuse@
accoun
admin@
antivir
anyone@
bsd
bugs@
contact@
contract@
f-secur
free-av
google
help@
info@
listserv
mailer-
mozzila
news@
newvir
nobody@
noone@
noreply
notice@
page@
pgp
podpiska@
postmaster@
privacy@
rar@
rating@
register@
root@
sales@
service@
site@
soft@
spm111@
suporte@
support@
technical@
the.bat
update@
virus@
webmaster@
winrar
winzip
you@

Email sent by the worm has a subject line, message text and attachment name in one of 6 languages, English, French, German, Russian, Spanish or Ukrainian. The language is chosen according to the domain of the email recipient.

W32/Kipis-U also attempts to spread to shared folders by copying itself to any folder that has 'share' or 'microsof' in its name. The worm uses the following filenames when copying to shared folders:

Land Attack(source and files).exe
DDoS bot(src)..scr
Forum Hack.txt.scr
Winamp 6(plugins).exe
Crack collection.scr
NLP.scr
Hack Unix Server(info).scr
Screensaver for Hackers.scr
Windows 2000(source code).scr
Hack Chat.exe
Kaspersy Antivirus Key(ver.5.xx,Pro,Personal).exe

W32/Kipis-U runs continuously in the background, providing a backdoor server which allows a remote intruder to upload and run arbitrary programs on the infected computer.

When first run W32/Kipis-U copies itself to:

<Windows folder>\regedit.com
<Windows system folder>\Microsoft\iexplore.exe

The following registry entry is created to run iexplore.exe on startup:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe <Windows system folder>\Microsoft\iexplore.exe

The following registry entry is also set:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WOW\boot
shell
<Windows system folder>\Microsoft\iexplore.exe

W32/Kipis-U attempts to disable services that have the follwing strings in their names:

anvir
apv
avc
aveng
avg
avk
avp
avw
avx
blackd
blacki
blss
cfi
clean
defwat
drweb
egedit.ex
ewall
fsa
fsm
guard
hijack
hxde
ilemon
kerio
klagent
klamav
luacomserv
minilog.
monitor
mooli
mosta
mpf
nav
neomon
netarm
netspy
nisse
nisum
nod3
norman
normis
norton
outpos
pav
pavsrv
pcc
protect
proxy.
rav
rfw
spider
svc.
syman
taskmgr
tmon
trojan
updat
upgrad
virus
vsmon
zapro.
zonalm
zonea