Content

W97M/Kukudro

Type
Trojan
SubType
Macro
Discovery Date
06/28/2006
Length
varies
Minimum DAT
4795 (06/28/2006)
Updated DAT
4795 (06/28/2006)
Minimum Engine
5.1.00
Description Added
06/28/2006
Description Modified
06/28/2006 5:15 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This threat was mass-spammed on several occassions.  The .A variant spam-run occured on June 27, 2006.  The email messages contained a ZIP attachment, such as:

  • apple_prices.zip
  • prices_zip
  • sony_prices.zip

The ZIP file contains a DOC file:

  • my_notebook.doc

The DOC file attempts to exploit a 5 year old vulnerability (MS01-034) to auto-run the macro within.

When the Microsoft Word Document is opened it displays the following:

 

At the same time an EXE file is dropped on to the C:\ drive and is executed:

As there is more than one variant the EXE file dropped may differ in filename:

  • 666INSE_1.EXE
  • ROSE.DOC

This exe is detected as Generic Downloader.k using the 4795 DATS.

The EXE contains 3 decoy URLs and 1 encrypted URL.  The encrypted one points to a W32/Sality.t infected file.

Symptoms

Presence of the following files dropped on C:\ drive:

  • 666INSE_1.EXE
  • ROSE.DOC

     

    • Method of Infection

    Executing the MS Word Document will drop and execute the Downloader trojan.

    Removal

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    W97M/Kukudro is a macro trojan that arrives as a Zip file attachment.  The Zip file contains a Microsoft Word document which drops and executes a Downloader trojan on the victims computer.

    Characteristics

    Characteristics -

    This threat was mass-spammed on several occassions.  The .A variant spam-run occured on June 27, 2006.  The email messages contained a ZIP attachment, such as:

    • apple_prices.zip
    • prices_zip
    • sony_prices.zip

    The ZIP file contains a DOC file:

    • my_notebook.doc

    The DOC file attempts to exploit a 5 year old vulnerability (MS01-034) to auto-run the macro within.

    When the Microsoft Word Document is opened it displays the following:

     

    At the same time an EXE file is dropped on to the C:\ drive and is executed:

    As there is more than one variant the EXE file dropped may differ in filename:

    • 666INSE_1.EXE
    • ROSE.DOC

    This exe is detected as Generic Downloader.k using the 4795 DATS.

    The EXE contains 3 decoy URLs and 1 encrypted URL.  The encrypted one points to a W32/Sality.t infected file.

    Symptoms

    Symptoms -

    Presence of the following files dropped on C:\ drive:

  • 666INSE_1.EXE
  • ROSE.DOC

     

    • Method of Infection

    Method of Infection -

    Executing the MS Word Document will drop and execute the Downloader trojan.

    Removal -

    Removal -

    All Users:
    Use specified engine and DAT files for detection and removal.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A