Content
W32/Kucoo
- Type
- Virus
- SubType
- Worm
- Discovery Date
- 03/17/2008
- Length
- 378,880 bytes
- Minimum DAT
- 5254 (03/18/2008)
- Updated DAT
- 5255 (03/19/2008)
- Minimum Engine
- 5.1.00
- Description Added
- 03/17/2008
- Description Modified
- 03/17/2008 2:07 PM (PT)
Tab Navigation
Characteristics
- Upon execution, the worm copies itself to the following folders:
%UserProfile%\Application Data\smss.exe
%WinDir%\inf\smss.exe
%WinDir%\system32\Sexy Girls.scr(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
(where %UserProfile% is the default profile folder for the current user, for example C:\Documents and Settings\Administrator\ if the current user is administrator. )
- It propagates itself via network shares by copying itself to all the mapped network drives with filenames as %User_Name%_Fichiers.exe, ..exe and ...exe.
- It copies itself to all the subfolders of the mapped network drives with filename as %sub_folder%.exe
(For instance, it copies itself as attach.exe in the subfolder F:\attach, when F: is the mapped nework drive)
- It hooks system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FrameWorkService: "%WinDir%\Inf\smss.exe I'm so ugly, I hate myself and I want to die"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NT_Authority: "%UserProfile%\Application Data\smss.exe"
- It adds or modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1: "cmd.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2: "mmc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3: "rstrui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4: "regedit.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5: "regedt32.exe"
Symptoms
- suspicious files in the shared folders with a filename as described above
- suspicious registry keys as described above
Method of Infection
propagates via network shares
Removal
-
Variants
Variants
N/A
All Information
Overview -
This detection is for a worm which tries to copy itself via network shares.
Characteristics
Characteristics -
- Upon execution, the worm copies itself to the following folders:
%UserProfile%\Application Data\smss.exe
%WinDir%\inf\smss.exe
%WinDir%\system32\Sexy Girls.scr(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
(where %UserProfile% is the default profile folder for the current user, for example C:\Documents and Settings\Administrator\ if the current user is administrator. )
- It propagates itself via network shares by copying itself to all the mapped network drives with filenames as %User_Name%_Fichiers.exe, ..exe and ...exe.
- It copies itself to all the subfolders of the mapped network drives with filename as %sub_folder%.exe
(For instance, it copies itself as attach.exe in the subfolder F:\attach, when F: is the mapped nework drive)
- It hooks system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FrameWorkService: "%WinDir%\Inf\smss.exe I'm so ugly, I hate myself and I want to die"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NT_Authority: "%UserProfile%\Application Data\smss.exe"
- It adds or modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1: "cmd.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2: "mmc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3: "rstrui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4: "regedit.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5: "regedt32.exe"
Symptoms
Symptoms -
- suspicious files in the shared folders with a filename as described above
- suspicious registry keys as described above
Method of Infection
Method of Infection -
propagates via network shares
Removal -
Removal -
-
Variants
Variants -
N/A
