W32/Kely.worm.gen

Content

W32/Kely.worm.gen

Type: Virus
SubType: Worm
Discovery Date: 03/27/2008
Length: 118,272 bytes
Minimum DAT: 5262 (03/28/2008)
Updated DAT: 5263 (03/31/2008)
Minimum Engine: 5.1.00
Description Added: 03/27/2008
Description Modified: 03/27/2008 1:48 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

W32/Kely.worm.gen is a worm that can propagate via network shares and removable drives.

Upon execution, it copies itself to the following folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSconfig.exe

WinDir%\system\lsass.exe
%WinDir%\lsass.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It copies itself to all the drives(including removable drives and mapped network drives) with filename as:
auto.exe(hidden file)
boot.exe(hidden file)
New Folder.exe

It enables itself to autorun by dropping autorun.inf in these drives. In this way, it may propagate via removable drives and network shares.

It creates the following registry keys to disable task manager, access to explorer folder options, system restore, command run:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoFolderOptions: "0x00000001"
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\DisableConfig: "0x00000001"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: "0x00000001"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: "0x00000001"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr: "0x00000001"

It changes the following registry keys to disable access to hidden files and file extention:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "0x00000002"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt: "0x00000001"

It hooks system startup by changing the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: "explorer.exe %WinDir%\system\lsass.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit: "userinit.exe,%WinDir%\system\lsass.exe"

It changes IE startpage:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page: "hxxp://uklotttery.us/"

It also changes the following registry key:

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast\content url: "hxxp://uklotttery.us/"
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz\content url: "hxxp://uklotttery.us/"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\AlternateShell: " %WinDir%\system\cmd.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\AlternateShell: " %WinDir%\system\cmd.exe"

It kills the regedit.exe, taskmgr.exe and hijackthis.exe.

It modifies %WinDir%\system32\drivers\etc\hosts file to prevents access to a large number of AntiVirus and security websites, such as:

mcafee.com, kaspersky.com, avast.com, grisoft.com, antivirus.comodo.com, zonealarm.com, esafe.com, zonealarm.com, bkav.com.vn, f-secure.com, etc

Symptoms

file copies described above
registry keys described above

Method of Infection

The worm may propagate via network shares and removable drives.

Removal

Variants

N/A

All Information

Overview -

W32/Kely.worm.gen is a worm that can propagate via network shares and removable drives.

Characteristics

Characteristics -

W32/Kely.worm.gen is a worm that can propagate via network shares and removable drives.

Upon execution, it copies itself to the following folders:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSconfig.exe

WinDir%\system\lsass.exe
%WinDir%\lsass.exe

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

It copies itself to all the drives(including removable drives and mapped network drives) with filename as:
auto.exe(hidden file)
boot.exe(hidden file)
New Folder.exe

It enables itself to autorun by dropping autorun.inf in these drives. In this way, it may propagate via removable drives and network shares.

It creates the following registry keys to disable task manager, access to explorer folder options, system restore, command run:

It changes the following registry keys to disable access to hidden files and file extention:

It hooks system startup by changing the following registry keys:

It changes IE startpage:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page: "hxxp://uklotttery.us/"

It also changes the following registry key:

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast\content url: "hxxp://uklotttery.us/"
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz\content url: "hxxp://uklotttery.us/"

It kills the regedit.exe, taskmgr.exe and hijackthis.exe.

It modifies %WinDir%\system32\drivers\etc\hosts file to prevents access to a large number of AntiVirus and security websites, such as:

mcafee.com, kaspersky.com, avast.com, grisoft.com, antivirus.comodo.com, zonealarm.com, esafe.com, zonealarm.com, bkav.com.vn, f-secure.com, etc

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Global Sites

Need Help?

Threat Center

Segment Navigation

Section Navigation

Content

W32/Kely.worm.gen

Risk Assessment

Tab Navigation

Overview

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer