FRISK Software International


Summary of W32/Kapser.A@mm
Alias:Kama Sutra worm (Press), Email-Worm.Win32.Nyxem.e (KAV), W32/Nyxem-D (Sophos), W32/Tearec.A.worm (Panda), W32/MyWife.d (McAfee), W32.Blackmal.E@mm (Symantec),WORM_GREW.A (Trend)
Discovered: 16 Jan 2006
Definition files: 16 Jan 2006
Risk Level: High
Distribution:Medium
 
Jump to:
Brief description
Technical description
Removal Instructions

Brief Description
W32/Kapser.A@mm is a mass mailing worm. It kills antivirus processes and deletes files and registry keys belonging to antivirus and P2P programs. On the 3rd day of every month if destroys some files on the infected system.


Technical Description
When run, W32/Kapser.A@mm copies itself as the following files:

%WINDIR%\Rundll16.exe
%SYSDIR%\scanregw.exe
%SYSDIR%\Winzip.exe
%SYSDIR%\Update.exe

Adds the value:

"ScanRegistry"="scanregw.exe /scan"

to the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

to make sure it's run at startup.

It sets the value of the key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

to:

"ShowSuperHidden"=0

Modifies subkeys and values of the key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses]

Tries to delete the following files.

%PROGRAMFILES%\DAP\*.dll
%PROGRAMFILES%\BearShare\*.dll
%PROGRAMFILES%\Symantec\LiveUpdate\*.*
%PROGRAMFILES%\Symantec\Common Files\Symantec Shared\*.*
%PROGRAMFILES%\Norton AntiVirus\*.exe
%PROGRAMFILES%\Alwil Software\Avast4\*.exe
%PROGRAMFILES%\McAfee.com\VSO\*.exe
%PROGRAMFILES%\McAfee.com\Agent\*.*
%PROGRAMFILES%\McAfee.com\shared\*.*
%PROGRAMFILES%\Trend Micro\PC-cillin 2002\*.exe
%PROGRAMFILES%\Trend Micro\PC-cillin 2003\*.exe
%PROGRAMFILES%\Trend Micro\Internet Security\*.exe
%PROGRAMFILES%\NavNT\*.exe
%PROGRAMFILES%\Morpheus\*.dll
%PROGRAMFILES%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%PROGRAMFILES%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%PROGRAMFILES%\Grisoft\AVG7\*.dll
%PROGRAMFILES%\TREND MICRO\OfficeScan\*.dll
%PROGRAMFILES%\Trend Micro\OfficeScan Client\*.exe
%PROGRAMFILES%\LimeWire\LimeWire 4.2.6\LimeWire.jar

It sends itself to harvested e-mail addresses as an attachment. The attachment's name is chosen from:

392315089702606E-02,UUE .scR
Adults_9,zip .sCR
ATT01.zip .sCR
Atta[001],zip .SCR
Attachments,zip .SCR
Attachments[001],B64 .sCr
Clipe,zip .sCr
New Video,zip .sCr
Photos,zip .sCR
SeX,zip .scR
WinZip,zip .scR
WinZip.zip .sCR
Word XP.zip .sCR
Word.zip .sCR
007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

On the 3rd day of every month it overwrites the following files:

*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp

and disables antivirus products from some vendors, for example:

SYMANTEC
KASPERSKY
MCAFEE
TREND MICRO

However F-PROT Antivirus products are not effected.


Removal Instructions
For general removal instructions please click here.

Marteinn Žór Haršarson
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is