W32/Kifie-D

Discussion in 'malware problems & news' started by FanJ, Jun 12, 2003.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    W32/Kifie-D
    Aliases : WORM_KIRBO.A

    Type : Win32 worm

    Description
    W32/Kifie-D spreads via email, P2P, IRC, AIM and local drives. The worm copies itself to all local drives as kirbster.exe and to the Windows system folder as tasksystemdll.exe and cutekriby.scr.

    W32/Kifie-D sets the following registry entry to point to tasksystemdll.exe:

    HKCU\Control Panel\Desktop\Scrnsave.exe

    In addition the worm drops the file %sysdir%\CuteKirby.Scr and registers it as the Desktop wallpaper.

    W32/Kifie-D displays a message box with the text "There was a critical error in the application the video driver could not load. If you continue to experience problems try restarting your computer".


    Read more:
    http://www.sophos.com/virusinfo/analyses/w32kified.html
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    New worm is Sunday driver (Kifie-D worm )

    Kifie-D worm begins overwriting docs on a Sunday.
    The worm spreads through email as well as peer-to-peer filesharing networks such as KaZaA, and instant messaging systems such as AIM.

    It copies itself to local drives and performs a Registry edit. It also displays a message box with the text: 'There was a critical error in the application the video driver could not load. If you continue to experience problems try restarting your computer'.

    However, the worm has a logic bomb that sets it to work on a Sunday, when it creates two files: kirbyflood.vbs and kirbyflood.bat. The former creates message boxes in a loop with the text 'Are you ready? W32.Kirby.Fl00der By L0new0lf'. kirbyflood.bat runs the .vbs file and displays the message 'l0new0lf



    strikes again W32.Kirby.Fl00der By L0new0lf'.

    It also overwrites TXT and DOC files in the Windows, Windows system and Windows system32 folders and will also try to delete various anti-virus related files. Finally, it mails itself on to addresses in the Outlook address book as an attachment. The emails read:

    Subject line: Fw: hello there
    Message text: Hey, I just received a screen saver in the mail and it is really cute. Take a look


    Matt Whipp


    http://www.pcpro.co.uk/?http://www.pcpro.co.uk/news/news_story.php?id=43141
     
Thread Status:
Not open for further replies.