Content
W97M/Kukudro
- Type
- Trojan
- SubType
- Macro
- Discovery Date
- 06/28/2006
- Length
- varies
- Minimum DAT
- 4795 (06/28/2006)
- Updated DAT
- 4795 (06/28/2006)
- Minimum Engine
- 5.1.00
- Description Added
- 06/28/2006
- Description Modified
- 06/28/2006 5:15 AM (PT)
Tab Navigation
Characteristics
This threat was mass-spammed on several occassions. The .A variant spam-run occured on June 27, 2006. The email messages contained a ZIP attachment, such as:
- apple_prices.zip
- prices_zip
- sony_prices.zip
The ZIP file contains a DOC file:
- my_notebook.doc
The DOC file attempts to exploit a 5 year old vulnerability (MS01-034) to auto-run the macro within.
When the Microsoft Word Document is opened it displays the following:
At the same time an EXE file is dropped on to the C:\ drive and is executed:
As there is more than one variant the EXE file dropped may differ in filename:
- 666INSE_1.EXE
- ROSE.DOC
This exe is detected as Generic Downloader.k using the 4795 DATS.
The EXE contains 3 decoy URLs and 1 encrypted URL. The encrypted one points to a W32/Sality.t infected file.
Symptoms
Presence of the following files dropped on C:\ drive:
Method of Infection
Executing the MS Word Document will drop and execute the Downloader trojan.
Removal
All Users:
Use specified engine and DAT files for detection and removal.
Variants
Variants
N/A
All Information
Overview -
W97M/Kukudro is a macro trojan that arrives as a Zip file attachment. The Zip file contains a Microsoft Word document which drops and executes a Downloader trojan on the victims computer.
Characteristics
Characteristics -
This threat was mass-spammed on several occassions. The .A variant spam-run occured on June 27, 2006. The email messages contained a ZIP attachment, such as:
- apple_prices.zip
- prices_zip
- sony_prices.zip
The ZIP file contains a DOC file:
- my_notebook.doc
The DOC file attempts to exploit a 5 year old vulnerability (MS01-034) to auto-run the macro within.
When the Microsoft Word Document is opened it displays the following:
At the same time an EXE file is dropped on to the C:\ drive and is executed:
As there is more than one variant the EXE file dropped may differ in filename:
- 666INSE_1.EXE
- ROSE.DOC
This exe is detected as Generic Downloader.k using the 4795 DATS.
The EXE contains 3 decoy URLs and 1 encrypted URL. The encrypted one points to a W32/Sality.t infected file.
Symptoms
Symptoms -
Presence of the following files dropped on C:\ drive:
Method of Infection
Method of Infection -
Executing the MS Word Document will drop and execute the Downloader trojan.
Removal -
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
