W32/Kwbot.worm

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum DAT

4209 (2002-06-26)

Updated DAT

4251 (2003-03-05)

Minimum Engine

5.1.00

File Length

Approx 20kb

Description Added

2002-07-08

Description Modified

2002-11-15

Malware Proliferation

Characteristics

This threat is considered a Low-Profiled risk as it is currently a low risk threat that has had some media attention.

This is an IRC backdoor trojan, and KaZaa spreading worm. When run, the worm copies itself the Windows\System directory and creates 2 registry key values to run at startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\Windows Explorer Update Build 1142=explorer32.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices\Windows Explorer Update Build 1142=explorer32.exe

The worm acts as a remote access trojan. It contains an IRC client that connects to a specified IRC channel and waits for commands from an attacker. These commands include instructions for the infected machine to:

Initiate a Denial of Service attack,
Open/close the CD-ROM tray,
Download files,
Update the version of the worm,
Uninstall the worm,
Send system information (CPU, RAM, Disk space, OS version, uptime, etc),
Send IRC messages

The worm also copies itself to the KaZaa shared folder with many different file names to trick users into downloading and running it. Such as (---- denotes masked obscenity):

100 Hot Hardcore Preteen Wallpapers (xxx p----y lesbian sl-t c--t f--k anal).exe
100 Hot lesbian wallpapers (xxx p----y lesbian sl-t c--t f--k).exe
100 XXX Passwords (verified 3-24-02).exe
1001 Mixed Drinks.exe
2000 Playboy centerfold wallpapers (xxx p----y lesbian sl-t c--t f--k).exe
2001 Playboy centerfold wallpapers (xxx p----y lesbian sl-t c--t f--k).exe
2002 Playboy centerfold wallpapers (xxx p----y lesbian sl-t c--t f--k).exe
A+ Certification Ultimate Study Guide.exe
ACDSee 4.1 cracked.exe
Adobe Photoshop 6 Ultimate Study Guide.exe
Adobe Photoshop 6.0.exe
Adobe Photoshop.exe
Adult Check Password Cracker (xxx p----y lesbian sl-t c--t f--k anal incest).exe
AIM hacker.exe
All Cliff notes (cliff's).exe
ANSI C Ultimate Study Guide.exe
AOL Hacker.exe
BabylonX Backdoor.exe
BabylonX password cracker.exe
Bandwidth Booster 4.2 for Cable
BlackICE Defender.exe
Borland C++ Builder 8.0 iso.exe
Britney Spears nude wallpaper (xxx p----y lesbian sl-t c--t f--k).exe
BRUTAL FORCED PRETEEN ANAL SEX (xxx f--k anal lesbian c-m sc-t bukkake hentai).exe
C++ Ultimate Study Guide.exe
Cable Modem Anonymizer.exe
Cable Uncapper.exe
Christina Aguilera nude wallpaper (xxx p----y lesbian sl-t c--t f--k).exe
CloneCD Crack (all versions) core.exe
CloneCD Keygen.exe
CloneCD.exe
College Biology Ultimate Study Guide.exe
College Chemistry Ultimate Study Guide.exe
College Computer Engineering Ultimate Study Guide.exe
College Computer Science Ultimate Study Guide.exe
College English Ultimate Study Guide.exe
College Ethics Ultimate Study Guide.exe
College History Ultimate Study Guide.exe
College Philosophy Ultimate Study Guide.exe
Command and Conquer cnc c&c Renegade iso.exe
Conceal PC Firewall.exe
Copy (11) of ZoneAlarm Firewall Pro.exe
Copy of ZoneAlarm Firewall Pro.exe
cows gone wild.exe
Credit Card number generator VERIFIER (cc cc#).exe
Dark Planet Battle For Natrolis cracked.exe
Delphi Ultimate Study Guide.exe
DivX Codec 4.0 (codec only).exe
DivX Codec 5.0 (codec only).exe
DivX Codec 6.0 beta (codec only).exe
DoS Attacker.exe
Dreamcast Emulator.exe
DSL Anonymizer.exe
DSL Uncapper.exe
Easy CD Creator crack (all versions) (core).exe
End Of Twilight iso.exe
ESPN NFL Primetime 2002 iso.exe
Gamecube Emulator.exe
Ghost Recon - Desert Siege.exe
Ghost Recon.exe
Grand Theft Auto 3 CD1 ISO.exe
Grand Theft Auto 3 CD2 ISO.exe
hacker utils 2002.exe
hacking tools 2002.exe
Hentai - bondage pic series (142 pics) (xxx f--k anal lesbian c-m sc-t bukkake hentai).exe
Hentai - bondage pic series (142 pics) (xxx f--k anal lesbian c-m sc-t hentai).exe
Hentai - Mystery of the Necromonicon (DivX) (xxx f--k anal lesbian c-m sc-t bukkake hentai).exe
Hentai - Mystery of the Necromonicon (DivX) (xxx f--k anal lesbian c-m sc-t hentai).exe
Hooligans iso.exe
Horny lesbian f--ks horse! (xxx f--k anal lesbian c-m sc-t bukkake hentai).exe
ICQ AIM Password stealer.exe
ICQ hack.exe
Incoming Forces iso.exe
IRC hacker.exe
Japanese sc-t video (sick) (xxx f--k anal lesbian c-m sc-t bukkake hentai).exe
Kama Sutra.exe
Kazaa Advertisement Ad remover.exe
LESBIAN HORSE f--kERS.exe
Macromedia Flash 5 Ultimate Study Guide.exe
Macromedia Flash 5.exe
Max Payne full iso.exe
Max Payne Multiplayer Addon.exe
MCSE Ultimate Study Guide.exe
Microsoft Office XP Upgrade (from older versions).exe
Microsoft Visual C++ 7.0 iso.exe
mIRC backdoor hack.exe
Monsterville cracked.exe
Nero 5.5 Crack.exe
Nero Burning Rom 5.5 Crack.exe
Nero Burning Rom 5.5 cracked.exe
Norton AntiVirus 2002.exe
Norton Internet Security 2002.exe
Norton Systemworks 2002.exe
Norton Utilities 2002.exe
Notron Utilities 2002.exe
Office XP Corporate Ed. iso.exe
Oni 2nd second edition.exe
Perl Ultimate Study Guide.exe
PHP4 Ultimate Study Guide.exe
Playboy nude wallpaper (xxx p----y lesbian sl-t c--t f--k).exe
Playstation 2 PS2 Emulator.exe
Preteen bondage pics (xxx p----y lesbian sl-t c--t f--k).exe
Preteen girl f--ks and sucks her dad (xxx p----y lesbian sl-t c--t f--k).exe
Preteen girl gangbang (xxx f--k anal lesbian c-m sc-t bukkake hentai).exe
Preteen girl rape collection (xxx p----y lesbian sl-t c--t f--k).exe
Preteen nude pics (xxx p----y lesbian sl-t c--t f--k).exe
Quake 3 cracked (works on all servers).exe
Quake 4 leaked beta (cracked).exe
Quicken Pro 2002 iso.exe
Ray Crisis iso.exe
Return to Castle Wolfenstein iso.exe
Return to Castle Wolfenstein RTCW crack (play on any server with fake serial!).exe
Return to Castle Wolfenstein RTCW cracked server patch (play on any server with a fake serial!).exe
Soldier of Fortune 2 CD1 ISO.exe
Soldier of Fortune 2 CD2 ISO.exe
Sound Forge XP Studio + Serial.exe
Space Empires IV 4 Gold iso.exe
Spiderman SVCD CD1.exe
Spiderman SVCD CD2.exe
Spiderman SVCD CD3.exe
Spiderman The Movie - The Game.exe
Star Trek Bridge Commander iso.exe
Star Trek Klingon Academy iso.exe
Star Wars Episode 2 - Attack of the Clones VCD CD1.exe
Star Wars Episode 2 - Attack of the Clones VCD CD2.exe
Star Wars Jedi Knight II 2.exe
Sum of all Fears SVCD CD1.exe
Sum of all Fears SVCD CD2.exe
Sum of all Fears SVCD CD3.exe
The Secret of the Nautilus iso.exe
TurboTax Professional 2002 iso.exe
Uncapper for EDU connections.exe
University Study Guide (cheat sheet).exe
Unreal 3 beta CRACKED.exe
Unreal Tournament cracked (works on all servers).exe
Warcraft 3 beta.exe
Warcraft 3 Crack.exe
Warcraft 3 Keygen.exe
Warez locator (finds and verifies).exe
Warrior Kings iso.exe
WinACE with crack.exe
Winamp 3.0 beta.exe
Windows 2000 win2k Backdoor hack.exe
Windows 2000 win2k password stealer.exe
Windows 98 hacker.exe
Windows XP backdoor hack.exe
Windows XP Home to Professional Upgrade.exe
Windows XP Professional iso.exe
Windows XP Remote password cracker.exe
Windows XP Server iso.exe
WinMX Backdoor hack.exe
WinRAR with crack.exe
Winzip Key Generator (c0re).exe
XXX Password cracker (xxx p----y lesbian sl-t c--t f--k).exe
XXX Tetris (xxx p----y lesbian sl-t c--t f--k).exe
ZoneAlarm Firewall Pro.exe

Symptoms

- Presence of the file explorer32.exe in the Windows\System directory
- Port 6667 being left opened

Method of Infection

This worm is spread via the KaZaa peer to peer network.

Removal

All Users:
Use current engine and DAT files for detection. Delete any file which contains this detection.

Threat Detail