W32/KWBot-A Worm

Discussion in 'malware problems & news' started by Paul Wilders, Jul 5, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Aliases
    W32.Kwbot.Worm, Worm.Win32.SdBot, W32/Moocow-A

    Type
    Win32 worm


    Description:

    W32/KWBot-A is a worm which exploits the Kazaa peer-to-peer network.

    When first executed the worm will copy itself to the Windows system folder as explorer32.exe. It will then create the following registry entries so that the copy is run each time Windows is started:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
    Windows Explorer Update Build 1142 = explorer32

    and

    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Windows Explorer Update Build 1142 = explorer32

    W32/KWBot-A will attempt to get unsuspecting users to download copies of itself by using filenames which may be attractive to other users, such as film titles or popular software.

    Examples of filenames used are :

    Star Wars Episode 2 - Attack of the Clones VCD CD1.exe
    Spiderman The Movie - The Game.exe
    Grand Theft Auto 3 CD1 ISO.exe
    ZoneAlarm Firewall Pro.exe
    Windows XP Professional iso.exe
    Unreal Tournament cracked (works on all servers).exe
    University Study Guide (cheat sheet).exe
    Quicken Pro 2002 iso.exe
    Perl Ultimate Study Guide.exe
    Office XP Corporate Ed. iso.exe
    Norton Utilities 2002.exe
    Microsoft Visual C++ 7.0 iso.exe
    MCSE Ultimate Study Guide.exe
    Max Payne full iso.exe
    Macromedia Flash 5.exe
    Kazaa Advertisement Ad remover.exe
    DSL Anonymizer.exe
    DoS Attacker.exe
    DivX Codec 6.0 beta (codec only).exe
    Credit Card number generator VERIFIER (cc cc#).exe
    cows gone wild.exe
    100 XXX Passwords (verified 3-24-02).exe

    The worm may also allow attackers to gain control of an infected computer using commands transmitted over IRC.
     
Loading...
Thread Status:
Not open for further replies.