McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• PE_WEIRD.10240 (Trend)

• TR/Kunga2 (H+BEDV)

• W32/Kuang.gen

• W95/Kuang-II (Norman)

• W95/Kuang.dr

• W95/Kuang.updater

• W95/Kuang2.cli

• W95/Kuang2.svr

• W95/Weird.10240.A

• Win32.Weird.10240 (KAV/AVP)

Characteristics

W95/Kuang.gen is a virus that drops a backdoor program. The backdoor has several components: server (Kuang.svr), client program (Kuang.cli), password stealing plugin (Kuang.pws) and one more plugin (Kuang.plugin). There also exists a small tool (W95/Kuang.dr) which can be used for infecting any Win32 file with a virus. When an infected file is run, the backdoor server is copied to the WINDOWS (or WINNT) directory under a random name. This file is hidden.

The virus copies EXPLORER.EXE file with the name EXPLORER.A. This copy is infected and will replace the original after the next restart.

The backdoor server program hides its own presence (neither visible as a task, nor visible in registry or loaded via WIN.INI) but it does run permanently in background awaiting commands coming from the client (on remote attacker's computer) and infecting one after one the Win32 EXE files on all fixed disks. Virus doesn't change time or date of infected files which grow in size by approximately 11 KBytes.

After the backdoor server is installed on a computer, the person controlling it has remote control over infected machine. This requires both machines to be connected to the INTERNET. This control includes upload, download, or delete a remote file. It is also possible to run plugin addon (Kuang.pws is a password stealin plugin and Kuang.plugin can display messages, play with taskbar, buttons, desktop and CD-ROM tray, can run WAV files and shutdown Windows.

The server program includes also a cleaner which seems to be able to clean an infected station (you leave the IP address field blank and you click on the "Anti-Virus"). During this process a copy of EXPLORER.EXE (infected) is made and named EXPLORER.WK2. This file is cleaned and the user must reboot the machine. During the reboot (through WININIT.INI) a cleaned EXPLORER.EXE is restituted.

W95/Kuang.updater detection is for a program to configure the properties of the backdoor embedded in the virus.

After reboot, this same procedure will scan the whole hard disk and clean the EXE files.

W95/Kuang.gen is able to infect files on NT/Windows2000 machines too. Kuang family carries in the code the message "Coded by Weird".

Symptoms

EXE files of the PE (Portable Executable) format grow in size.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus and the server program are active.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• PE_WEIRD.10240 (Trend)

• TR/Kunga2 (H+BEDV)

• W32/Kuang.gen

• W95/Kuang-II (Norman)

• W95/Kuang.dr

• W95/Kuang.updater

• W95/Kuang2.cli

• W95/Kuang2.svr

• W95/Weird.10240.A

• Win32.Weird.10240 (KAV/AVP)

Characteristics

Characteristics -

W95/Kuang.gen is a virus that drops a backdoor program. The backdoor has several components: server (Kuang.svr), client program (Kuang.cli), password stealing plugin (Kuang.pws) and one more plugin (Kuang.plugin). There also exists a small tool (W95/Kuang.dr) which can be used for infecting any Win32 file with a virus. When an infected file is run, the backdoor server is copied to the WINDOWS (or WINNT) directory under a random name. This file is hidden.

The virus copies EXPLORER.EXE file with the name EXPLORER.A. This copy is infected and will replace the original after the next restart.

The backdoor server program hides its own presence (neither visible as a task, nor visible in registry or loaded via WIN.INI) but it does run permanently in background awaiting commands coming from the client (on remote attacker's computer) and infecting one after one the Win32 EXE files on all fixed disks. Virus doesn't change time or date of infected files which grow in size by approximately 11 KBytes.

After the backdoor server is installed on a computer, the person controlling it has remote control over infected machine. This requires both machines to be connected to the INTERNET. This control includes upload, download, or delete a remote file. It is also possible to run plugin addon (Kuang.pws is a password stealin plugin and Kuang.plugin can display messages, play with taskbar, buttons, desktop and CD-ROM tray, can run WAV files and shutdown Windows.

The server program includes also a cleaner which seems to be able to clean an infected station (you leave the IP address field blank and you click on the "Anti-Virus"). During this process a copy of EXPLORER.EXE (infected) is made and named EXPLORER.WK2. This file is cleaned and the user must reboot the machine. During the reboot (through WININIT.INI) a cleaned EXPLORER.EXE is restituted.

W95/Kuang.updater detection is for a program to configure the properties of the backdoor embedded in the virus.

After reboot, this same procedure will scan the whole hard disk and clean the EXE files.

W95/Kuang.gen is able to infect files on NT/Windows2000 machines too. Kuang family carries in the code the message "Coded by Weird".

Symptoms

Symptoms -

EXE files of the PE (Portable Executable) format grow in size.

Method of Infection

Method of Infection -

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus and the server program are active.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A