FRISK Software International


Summary of W32/KilOnce
Alias:Worm.Win32.Kilonce, Killonce, W32.HLLW.Kilonce
Discovered: 27 Nov 2002
Definition files: 27 Nov 2002
Risk Level: Medium
Distribution:Low
Payload: Deletes all files on C: drive after system restart on December 13th
 
Jump to:
Brief description
Technical description

Brief Description
KilOnce is a network worm that resembles Nimda e-mail and network worm a lot. But Kilonce doesn't spread in e-mails as Nimda does. The worm got media's attention in the end of November 2002 in China. But by the time of this description creation not a single sample of this worm has been received from the wild.


Technical Description
It should be noted, that the worm has lots of bugs and this limits its ability to infect computers and activate its payload.

When the worm's file is run, it first tries to create an EML file in a temporary folder where it stores its mime-encoded file as Explorer.exe together with the IFrame exploit that makes it possible to activate the worm's attachment automatically on some systems. But the creation of the worm's EML file does not happen due to a bug.

Then the worm checks the name of the file it was started from. If it was not started from KILLONCE.EXE file, the worm creates a file with this name, copies its contents there and starts the file.

If the worm's file is started with -U command line option, it removes its startup keys from the Registry and exits. However, the worm has bugs that might prevent it from doing the above procedure.

If the worm's file is started with -D command line option, it creates a RICHED20.DLL file in current folder and copies its contents there.

The worm installs itself to system by copying its file to Windows folder and to Recycled folder as KILLONCE.EXE and adding its startup string to the Run key in the Registry:

[HKLM\Microsoft\Windows\CurrentVersion\Run]
 "KillOnce" = "%windir%\KILLONCE.EXE"
The %windir% represents Windows directory. The worm also modifies the default EXE files startup key so that its copy will be run before any executable file:

 [HKCR\exefile\shell\open\command]
 @ = "%windir%\KILLONCE.EXE "%1" %"
The worm also edits a text file startup key, so its copy will be always run from Recycled folder when a user opens a text file:

 [HKCR\txtfile\shell\open\command]
 @ = "%recycledir%\KILLONCE.EXE %windir%\NotePad.exe %1"
The worm constantly scans personal folders of a user for *.DOC files but does not do any action if it finds those except increasing its internal counter.

The worm constantly tries to spread to a network. It enumerates all shared resources and if it can find \Windows\RunDll32.exe file there, it renames it as \Windows\Run32.Exe and copies itself instead of remote RunDll32.exe file. As the RunDll32.exe file is used at least once per Windows sesion, the worm will infect a remote computer.

The worm scans remote drives for files with certain extensions. When it finds HTM files, the worm copies itself as SHDOCVW.DLL into the same folder. When it finds DOC files, the worm copies itself as RICHED20.DLL into the same folder. When it finds EML files that are not created by the worm, it deletes them. The worm creates EML and NWS files of its own with its mime-encoded attachment and Iframe exploit. Also the worm renames REGEDIT.EXE to REGEDIT.SYS and then copies itself a REGEDIT.EXE to remote computer.

The worm adds Guest account to Administrator's group, so any user logged as Guest will have admin rights. The worm also shares hard drives from C: to K: to a network.

The worm kills processes that have 'AV' and 'KV' strings in their names, it also kills processes with 'LOAD.EXE' name. The worm also tries to delete files that correspond to killed proccesses.

The worm does not allow to run REGEDIT.EXE and MSCONFIG.EXE files, it shows a messagebox if a user tries to run these files.

The worm has a dangerous payload. If a month is December and the date is 13, the worm writes the special command to AUTOEXEC.BAT that will delete all files on C: drive after system restart.


Analysis: Alexey Podrezov; F-Secure Corp.; November 27th, 2002]
 


Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Virus news and information directly to your desktop.
Definitions of common antivirus terminology.
For further virus information, please try our partners' websites:

Authentium

perComp Verlag
(in German)
 

agoat@klaki.net argentina@f-prot.com argentina@frisk.is argentina@complex.is argentina@f-prot.is argentina@frisk-software.com argentina@f-prot.net argentina@f-prot.co.uk brazil@f-prot.com brazil@frisk.is brazil@complex.is brazil@f-prot.is brazil@frisk-software.com brazil@f-prot.net brazil@f-prot.co.uk malta@f-prot.com malta@frisk.is malta@complex.is malta@f-prot.is malta@frisk-software.com malta@f-prot.net malta@f-prot.co.uk a.bjani@f-prot.com a.bjani@frisk.is a.bjani@complex.is a.bjani@f-prot.is a.bjani@f-prot.co.uk a.bjani@frisk-software.com a.bjani@f-prot.net z.fifl@f-prot.com z.fifl@frisk.is z.fifl@complex.is z.fifl@f-prot.is z.fifl@f-prot.co.uk z.fifl@frisk-software.com z.fifl@f-prot.net strumpuri@complex.is strumpure@complex.is strumpuru@complex.is