[pchelpers] News:Kucoo Worm Spreads Via Shared Drives

March 18, 2008

At least two security vendors have issued alerts for W32/Kucoo, a worm
that will infect Windows systems and spreads through shared network
drives.

Upon execution, the worm copies itself as the following files:

  * smss.exe in the Current UserProfile\Application Data folder,
  * smss.exe in the Windows\inf folder,
  * Sexy Girls.scr in the Windows System folder.

The Trojan modifies registry at the following location to load itself
during each startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\FrameWorkService 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
\NT_Authority

It spreads itself via network shares by copying itself to all the mapped
network drives as (User_Name)_Fichiers.exe, ..exe and ...exe.

The Trojan also copies itself to all the subfolders of the mapped
network drives as (sub_folder name).exe.

Sourced from:
http://www.esecurityplanet.com/alerts/article.php/3734871

More information at:
http://vil.nai.com/vil/content/v_144253.htm
-- 
John Durham
Site http://modecideas.com
Server hosted on Ubuntu 4.10
Good advice is like good paint. It only works when applied.



-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

Other related posts: