Kapser.A@mm - F-Prot Antivirus Virus Information

Virus Info > Virus Threats > Kapser.A@mm

Summary of W32/Kapser.A@mm
Alias:	Kama Sutra worm (Press), Email-Worm.Win32.Nyxem.e (KAV), W32/Nyxem-D (Sophos), W32/Tearec.A.worm (Panda), W32/MyWife.d (McAfee), W32.Blackmal.E@mm (Symantec),WORM_GREW.A (Trend)
Discovered:	16 Jan 2006
Definition files:	16 Jan 2006
Risk Level:	High
Distribution:	Medium

Jump to:

Brief description
Technical description
Removal Instructions

Brief Description

W32/Kapser.A@mm is a mass mailing worm. It kills antivirus processes and deletes files and registry keys belonging to antivirus and P2P programs. On the 3rd day of every month if destroys some files on the infected system.

Technical Description

When run, W32/Kapser.A@mm copies itself as the following files:

%WINDIR%\Rundll16.exe
%SYSDIR%\scanregw.exe
%SYSDIR%\Winzip.exe
%SYSDIR%\Update.exe

Adds the value:

"ScanRegistry"="scanregw.exe /scan"

to the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

to make sure it's run at startup.

It sets the value of the key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

to:

"ShowSuperHidden"=0

Modifies subkeys and values of the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses]

Tries to delete the following files.

%PROGRAMFILES%\DAP\*.dll
%PROGRAMFILES%\BearShare\*.dll
%PROGRAMFILES%\Symantec\LiveUpdate\*.*
%PROGRAMFILES%\Symantec\Common Files\Symantec Shared\*.*
%PROGRAMFILES%\Norton AntiVirus\*.exe
%PROGRAMFILES%\Alwil Software\Avast4\*.exe
%PROGRAMFILES%\McAfee.com\VSO\*.exe
%PROGRAMFILES%\McAfee.com\Agent\*.*
%PROGRAMFILES%\McAfee.com\shared\*.*
%PROGRAMFILES%\Trend Micro\PC-cillin 2002\*.exe
%PROGRAMFILES%\Trend Micro\PC-cillin 2003\*.exe
%PROGRAMFILES%\Trend Micro\Internet Security\*.exe
%PROGRAMFILES%\NavNT\*.exe
%PROGRAMFILES%\Morpheus\*.dll
%PROGRAMFILES%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%PROGRAMFILES%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%PROGRAMFILES%\Grisoft\AVG7\*.dll
%PROGRAMFILES%\TREND MICRO\OfficeScan\*.dll
%PROGRAMFILES%\Trend Micro\OfficeScan Client\*.exe
%PROGRAMFILES%\LimeWire\LimeWire 4.2.6\LimeWire.jar

It sends itself to harvested e-mail addresses as an attachment. The attachment's name is chosen from:

392315089702606E-02,UUE .scR
Adults_9,zip .sCR
ATT01.zip .sCR
Atta[001],zip .SCR
Attachments,zip .SCR
Attachments[001],B64 .sCr
Clipe,zip .sCr
New Video,zip .sCr
Photos,zip .sCR
SeX,zip .scR
WinZip,zip .scR
WinZip.zip .sCR
Word XP.zip .sCR
Word.zip .sCR
007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

On the 3rd day of every month it overwrites the following files:

*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp

and disables antivirus products from some vendors, for example:

SYMANTEC
KASPERSKY
MCAFEE
TREND MICRO

However F-PROT Antivirus products are not effected.

Removal Instructions

For general removal instructions please click here.

Marteinn Þór Harðarson

Virus Info by Platform