 |
W32/Kucoo Worm
| Name |
W32/Kucoo Worm |
| Aliases |
W32/Kucoo |
| Discovered on |
March 18, 2008 |
 Virus Information - W32/Kucoo Worm:
W32/Kucoo is a worm. The worm will infect Windows systems and spreads through shared network drives.
Upon execution, the worm copies itself as the following files:
 smss.exe in the Current UserProfile\Application Data folder,
smss.exe in the Windows\inf folder,
Sexy Girls.scr in the Windows System folder.
The trojan modifies registry at the following location to load itself during each startup;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FrameWorkService
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NT_Authority
It spreads itself via network shares by copying itself to all the mapped network drives as (User_Name)_Fichiers.exe, ..exe and ...exe.
The trojan also copies itself to all the subfolders of the mapped network drives as (sub_folder name).exe.
It also adds or modifies the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind: 0x00000001
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1: "cmd.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2: "mmc.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3: "rstrui.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4: "regedit.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5: "regedt32.exe"
|
