Virus Database

Worm.Win32.Kibuv.b

Description Worm.Win32.Kibuv.b

This worm spreads via the Internet and exploits a vulnerability in Windows. It also uses FTP and IRC channels to spread.
The worm itself is a Windows PE EXE file of approximately 28KB in size, packed using UPX.
It is based on the source code of Backdoor.SdBot.
Propagation
The worm scans networks and chooses random IP-addresses. It then checks with these addresses for RPC, LSASS and IIS 5.0 vulnerabilities. It also checks port 5554 for ftp components of Worm.Win32.Sasser, and for backdoor components left by I-Worm.Bagle.
When it finds a machine with any one of the above characteristics, the worm uses the appropriate exploit to infect the system. It then launches an ftp server on port 7955.
It also installs a backdoor on port 420 to receive remote commands. The worm enters the IRC server and waits for a command to attack. It also sends a link to itself to all new entrants to the IRC channel.

Check other viruses! Be aware! Use Antiviral Software

I-Worm.Kitro.a

Description I-Worm.Kitro.a

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the "mail.hotmail.com" server.
This version of the worm is able to spread only by sending itself in e-mail attachments. The worm is an EXE file, its size is 220160 bytes.
Installation
The worm copies itself to the following locations:
c:system32.exe
c:archiv~1psycho.scr
The worm also sets its copy located in the root directory of disk C: up to start automatically with Windows by writing the following registry key:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
"msn"="c:system32.exe"
The worm gathers information about .NET Messenger contact recipients by reading "Permission" values from the following registry key:
[HKEY_CURRENT_USERSoftwareMicrosoftMessengerServiceListCache.NET Messenger Service]
Value names: Allow0, Allow1, etc.
It writes all addresses gathered into the file named kiltro.dat in the current directory. Messages that are sent by the worm contain an attached file named Psycho.scr. If the worm finds its copy already installed in the system it hides the system tray window and shows some messages.
Other
The worm creates the following text files:
c:windat.vxd
c:windat.dll
with the following contents:
Programado en Santiago de Chile por ErGrone

I-Worm.Kitro.b

Description I-Worm.Kitro.b

Kitro is a family of Internet worms. They spread using infected e-mail messages and Kazaa peer-to-peer network. All versions of the worm obtain e-mail addresses from the .NET Messenger contact list, and send infected messages to these addresses.
Messages sent by these worms may have different subjects, bodies, and attached files. They are sent using direct SMTP access to the "mail.hotmail.com" server.
This version of the worm is intended to spread both via the e-mail messages and the Kazaa network. Due to errors in its code, the worm may fail to execute and replicate properly. The worm is a Control Panel applet (file with "CPL" extension), its size is 236032 bytes.
Installation
The worm copies itself to the Windows directory and the root directory of disk C: with a random name consisting of digits and "CPL" extension (for example, "832.cpl"). It also sets its copy up to load automatically when Windows starts by writing the following registry value:
[HKCUSoftwareMicrosoftWindowsCurrentVersionRun]
"(Worm's file name)"="rundll32.exe shell32.dll,Control_RunDLL (Worm's file name)"
for example,
"832.cpl"="rundll32.exe shell32.dll,Control_RunDLL 832.cpl"
Replication
The worm obtains email addresses of the .NET Messenger contact list recipients, and writes them to the files called "commfig.sys" and "K32.vxd" in the Windows directory. Then it tries to send infected e-mails to these addresses. Due to errors in the worms code, the worm may not be able to replicate.
Other
The worm tries to disable Kaspersky Anti-Virus and Panda Antivirus software by modifying the Windows system registry.
It also searches for and tries to close windows with the 'Panda ActiveScan - Microsoft Internet Explorer' title, and to delete files at the following locations:
(Kaspersky Anti-Virus common files path)Basesavp.set
C:archiv~1peravpav.dll
C:archiv~1peravper.dll
C:program filesperavpav.dll
C:program filesperavper.dll
(Windows directory)vshield.vxd
(Windows directory)system32vshield.vxd

Home