Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Small.KI@mm

Overview

Threat Risk MEDIUM MEDIUM
Destructivity HIGH HIGH
Payload Overwrites data files, terminates AV processes
Detection files published
Description created 18 Jan 2006 04:46:00
Description updated 26 Jan 2006 04:46:00
Malware type WORM
Alias W32/Nyxem-D
W32.Blackmal.E
W32/MyWife.d@MM
Email-Worm.Win32.VB.bi
WORM_GREW.A
W32/Kapser.A@mm
W32/VB.NEI
Worm/KillAV.GR
Spreading mechanism EMAIL
NETWORK
OTHER
Summary None

W32/Small.KI@mm

Spreading

This worm sends itself to email addresses found on the local system, as well as copying itself to shared drives. Emails sent will contain either an executable file, or a MIME object containing an uuencoded copy of the worm.
It will make copies of itself as %SYSTEM%\scanregw.exe and %WINDOWS%\Rundll16.exe. The Rundll16.exe file will be marked as a hidden and protected system file in an attempt to hide.
It will add the key and value ScanRegistry="scanregw.exe /scan" to the registry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run to make sure it's started with windows.

Payload Details

Primary destructive payload is the corruption of data files of types mentioned below on the 3rd day of every month :  
*.doc   
*.xls   
*.mdb   
*.mde   
*.ppt   
*.pps   
*.zip   
*.rar   
*.pdf   
*.psd  
*.dmp
These are data files and archive formats that typically contain data of large value for the owner. Regardless of possible infections, users should make sure they back up such material regularly to prevent data loss.
The worm will also look up files belonging to AV products and delete them.
A selection of folders it will search for and delete files in:
  DAP
  BearShare
  Symantec
  Norton AntiVirus
  Alwil Software\Avast4
  McAfee.com
  Trend Micro
  NavNT
  Kaspersky Lab
  Grisoft\AVG7
  LimeWire
  Morpheus
  HyperTechnologies\Deep Freeze

Analysis

n/a

Removal

This worm is detected and removed using defs from January 17th 2006 or later. Read more about how to identify and stop malware spreading through network shares in our article Stopping network share infectors.


Last Updated: 12 Nov 2015 11:06:12