1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
| Damage
Payload: Attempts to send itself to all e-mail addresses it finds. Also deletes system files
Large scale e-mailing: Attempts to send itself to all e-mail addresses it finds.
Deletes files: deletes files "C:\archiv~1\perav\pav.dll", "C:\archiv~1\perav\per.dll", "C:\program files\perav\pav.dll", "C:\program files\perav\per.dll", "%Windows%\PAV.EXE", "%Windows%\bases\avp.set", "%Windows%\system\vshield.vxd", "%Windows%\system32\vshield.vxd", and "%Windows%\vshield.vxd"
Compromises security settings: deletes files necesary to certain AV products
Distribution
Subject of email: varies
Name of attachment: varies
Size of attachment: 236,032 bytes
W32.Kitro.C.Worm arrives by email as an attachment with the .cpl (Control Panel Applet) extension. When executed, it does the following:
It copies itself to the root of the hard drive and to the windows folder (the windows folder is usually c:\windows or c:\winnt). The file name that it uses is a random number with the .cpl extension, for example 1708.cpl.
In order to run each time the machine is rebooted, it adds a value to the key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The value refers to the file that it copied previously, for example
1708 rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\1708.cpl
W32.Kitro.C.Worm collects email addresses of the user's MSN messenger contacts from the registry key
HKEY_CURRENT_USER\Software\Microsoft\MessengerService\ListCache\.NET Messenger Service
and attempts to send itself through the SMTP server mail.hotmail.com. The characteristics of the email message are described below. After successfully sending itself, W32.Kitro.C.Worm creates a copy of itself under the name zero.exe in the windows directory.
W32.Kitro.C.Worm uses temporary files named commfig.sys and k32.vxd and located in the windows directory during the manipulation of email addresses lists.
W32.Kitro.C.Worm also attempts to spread through the Kazaa peer-to-peer network. It tries to read the registry value
HKEY_CURRENT_USER\Software\Kazaa\Transfer\DlDir0
and if it can do so, it copies itself to the Kazaa share under one of the following names, thus making itself available for other Kazaa users to download.
DivResidentEvil.ZIP.cpl
SpidermanDesktop.cpl
AVP_KeyActualization2002.ZIP .cpl
Messenger_skins.ZIP .cpl
Porno_sTar.cpl
CannibalCorpse.MP3 .cpl
ASickofitall.Zip .cpl
AXEbahia.cpl
NuevosVideosProfesorRossa.cpl
NewVideo_Blink182.cpl
LagWagon&Blink182.cpl
Hacking.cpl
AllMcAfeeCrack.Cpl
Britney_spearsVSDavidBeckham_AnalPasions.cpl
Crack.PerAntivirus.Zip .cpl
JamieThomasVSrodneyMullen.cpl
MariguanaDesktop.cpl
AgeOfEmpires2_Crack.cpl
PSX2_Emulation.Zip .cpl
GameCube.Zip .cpl
Mames.Zip.cpl
Crack_Delphi5and6.Zip .cpl
terminator2.cpl
BinladenF*ckinBillGates.cpl
AnalPasswords.cpl
ElvisDesktop.cpl
B.cpl
Z.cpl
AVP_Spanish.cpl
ZoneAlarmCrack.cpl
HardXCore.cpl
PhotoShop6.xCrack.cpl
BioHazard.cpl
VisualBasic.Net.cpl
Zidane.Taliban.cpl
VideoPortoSeguro.cpl
PSX2EmulatorFree.Zip .cpl
sexo_en_la_calle.cpl
sexo_anal_full_video.cpl
sexo_oriental_full_video.cpl
muertes_videos.cpl
fullvideo_anal_action.zip .cpl
In order to evade detection by some antivirus products, W32.Kitro.C.Worm manipulates data files and registry information. It modifies the registry value
HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SharedFiles\Folder
to point to the windows directory and alters the value
PAV.EXE C:\WINDOWS
in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
probably in an attempt to prevent an antivirus program from running on startup.
In addition it deletes the following files if they are present on the system:
C:\archiv~1\perav\pav.dll
C:\archiv~1\perav\per.dll
C:\program files\perav\pav.dll
C:\program files\perav\per.dll
and also the following files from the windows folder:
PAV.EXE
\bases\avp.set
\system\vshield.vxd
\system32\vshield.vxd
\vshield.vxd
W32.Kitro.C.Worm contains several possible email formats, using various subject lines and file attachments.
Possible Subjects lines:
Esta si que es zorra!!!
Fotos de asesinatos, Jack el Destripador, Charles Manson, y muchos mas para decorar tu escritorio.
Yeahhh Mutha Facka... NY Brookling in your NET.
Genera passwords para poder entrar a las webs mas putonas de la red, y gratis, incluso podras bajar peliculas porno.
Para los verdaderos amigos...
Test de amor.
30 pregutas para saber si tu pareja te enga
!La imagen de cristo en un bosque.
mira como seria un mundial en la antigua mesopotamia.
Fotos de Cristo para decorar tu escritorio.
Te han enviado una postal.
Te acuerdas de mi?
Asi se hace el amor...
Asi me gusta a mi...
Esto doleria mucho, mucho :-).
Si esto no me lo regresas me sentire mal.
La vida despues de la muerte.
Me cambie de correo, aver si ahora me escribes...
Leelo y reenvialo a quienes mas amas.
Cancion de amor, para ti.
Paulina Rubio y su zorrita cosmica...
No todo lo que uno lea sobre el servicio de webmail de Microsoft es cierto.
!Ver el listado de falsas alarmas.
!ja, la han cagado con este video.
Bin Laden DT de la seleccion de arabia...
Bin Laden nuevo goliador de Arabia saudita , jaaaaaaa.
Bin Laden presidente de la FIFA.
Dime que te parece esta animacion.
Una broma para las secretarias, ja ja.
Test para secretarias, para saber que tan tontas son.
41 preguntas para saber si alguien es sicopata.
mira esto es mas ordinario que gato con hanta, juaaaaaaaaaaaa.
listado de ultimas mentiras que circulan por los mails.
Last hoaxes list.
Hola
como te gustarian este par de tetitas.
Leelo y reenvialo a quienes mas amas.
mira esto es mas ordinario que gato con hanta, juaaaaaaaaaaaa.
listado de ultimas mentiras que circulan por los mails.
Bin Laden killing muthaFaka bill gates.
mira como seria un mundial en la antigua mesopotamia
Possible corresponding attachments:
zorrita.cpl
jack.cpl
sickofitall.cpl
analpasswords.cpl
poema_angelical.cpl
testdeamor.cpl
Adulterio_en_tus_narices.cpl
Cristo.cpl
mundial.cpl
cristo2002.cpl
postal_de_mi_alma.cpl
estesoyyo.cpl
milposiciones.cpl
como_como.cpl
por_ahi_noooooo.cpl
lomasimportante.cpl
vidaymuerte.cpl
siemprevivir@setnet.cpl
milvidas.cpl
comoolvidarte.cpl
paulinasex.cpl
mentiras_en_hotmail.cpl
listado_de_hoaxes.cpl
zapato_en_el_culo.cpl
binladenDT.cpl
gooooooool.cpl
Fifaladen.cpl
788782.cpl
secretarias.cpl
test_secretontas.cpl
sere_yo_uno_de_esos.cpl
scarycrai.cpl
mentiras_mails.cpl
mcaffehoaxlist.cpl
tetris2002.cpl
zandias_meloones.cpl
quien_como_tu.cpl
portymore.cpl
listado_de_porquerias.cpl
billgatesscream.cpl
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Update the virus definitions, run a full system scan, and delete all files that are detected as W32.Kitro.C.Worm
2. Delete the value that looks similar to
rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\1708.cpl
from the registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run>
3. Also delete the value
PAV.EXE C:\WINDOWS
from the regsitry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
For details on how to do this, read the following instructions.
NOTE: Before proceeding, Windows Me and Windows XP users should temporarily turn off System Restore. This feature, which is enabled by default, is used by Windows Me/XP to restore files on your computer in case they become damaged. When a computer is infected with a virus, worm, or Trojan, it is possible that the virus, worm, or Trojan could be backed up by System Restore. By default, Windows prevents System Restore from being modified by outside programs. As a result, there is the possibility that you could accidentally restore an infected file, or that on-line scanners would detect the threat in that location. For instructions on how to turn off System Restore, read your Windows documentation or one of the following articles:
How to disable or enable Windows Me System Restore.
How to disable or enable Windows XP System Restore.
For additional information, and an alternative to disabling Windows Me System Restore, see the Microsoft Knowledge Base article Anti-Virus Tools Cannot Clean Infected Files in the _Restore Folder, Article ID: Q263455
To scan for and delete the infected files:
1. Obtain the most recent virus definitions. There are two ways to do this:
Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.
Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.
2. Start your Symantec antivirus software and make sure that it is configured to scan all files.
Norton AntiVirus Consumer products: Read the document How to configure Norton AntiVirus to scan all files.
Symantec Enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
3. Run a full system scan.
4. If any files are detected as infected by W32.Kitro.C.Worm, click Delete.
To remove the values from the registry:
CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.
1. Click Start, and click Run. The Run dialog box appears.
2. Type regedit and then click OK. The Registry Editor opens.
3. Navigate to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
4. In the right pane, locate the value that looks similar to the following example and delete it:
rundll32.exe shell32.dll,Control_RunDLL C:\WINDOWS\1708.cpl
5. Next, Navigate to the following key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
6. In the right pane, locate the value that looks similar to the following example and delete it:
PAV.EXE C:\WINDOWS
7. Click Registry, and click Exit.
Revision History:
NOTE: Definitions prior to July 8th 2002 may detect this threat as W32.Duni.Worm.
Write-up by: Patrick Nolan and Frederic Perriot |
:strip_icc():strip_exif()/u/6807/Ico.jpg?f=community)
en maar 1 win virus gehad in 20 jaar pc'en