English

Log in

Search

The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service.

Internet threat level: 1

Follow us on

Home→Descriptions→Email-Worm.Win32.Kipis.a

Email-Worm.Win32.Kipis.a

Detected	Dec 22 2004 11:53 GMT
Released	Dec 22 2004 11:53 GMT
Published	Dec 27 2004 09:04 GMT

Technical Details

This worm spreads via the Internet as an attachment to infected messages and via file-sharing networks.

It sends itself to email addresses harvested from the victim machine.

The worm itself is a Windows PE EXE file approximately 21KB in size, packed using MEW. The unpacked file is approximately 140KB in size.

The worm contains a backdoor function.

Installation

Once launched, the worm copies itself to the Windows root directory as 'regedit.com':

%WinDir%\regedit.com

As a result, running the system registry (regedit.exe) starts a copy of the worm.

The worm also creates a folder named "security" in the Windows root directory and copies itself to this folder as "svchost.exe":

%WinDir%\security\svchost.exe

The worm also creates a "Jpg.bmp" file in the Windows system directory and tries to open this file using MS Paint.

The file "Jpg.bmp" contains the following string:

BMD -:+:- zzzzzzzzzzz

Then the worm registers itself in the system registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = Explorer.exe "%WinDir%\security\svchost.exe"

This ensures a copy of the worm will be launched each time the infected machine is rebooted.

Kipis.a also creates a unique identifier "KiPiShx018AxR" to flag its presence in the system. This ensures that only one copy of the worm will infect the system.

Propagation via email

The worm harvests email addresses from the MS Windows address books and also from files with the following extensions:

.adb
.dbx
.doc
.htm
.tbb
.txt

The worm does not send messages to addresses which contain the following text strings:

.gov
.hlp
.mil
.txt
.zip
abuse
accoun
admin
antivir
anyone
avp
bigbrother
bitdef
borlan
bugs
bugtraq
confirm
contact
delphiworld
fido
foo.
google
gov.
guninski
help
hotmail
icrosoft
info
iruslis
latincards
linux
listserv
mailer
moco2k
mozilla
msn.
msoe
mydomai
nai.c
neohapsis
news
newvir
nodomai
notice
page
panda
pgp
podpiska
postmaster
privacy
rating
register
rfc-
ripe.
secur
sendmail
service
site
soft
software.
sopho
spm111
strike.
support
syman
the.bat
unix
webmaney
webmaster
where
www.

When sending infected emails, the worm attempts to establish a direct connection to recipient's SMTP servers.

Infected messages

Message subject (chosen from the list below):

I Love You
Happy New Year
Love

Message body:

Hello! baby :-)

Server cannot send message.
_____________________________________________
On all questions address in a support service

Attachment (chosen from the list below):

your present.scr
foto_03.scr
myfoto_04.scr

Propagation via file-sharing networks

The worm creates copies of itself in all subdirectories which contain the word 'Share' in their names. The copies are saved under names chosen from the following list:

DrWeb 4.32 keygen.com
KAV Pro 5.xx keygen.com
Nude Britney Spears.scr
Nude Pic_07.scr
Virtual Girl 2.01.com
WinXP Sp2 key.com

Remote administration

The worm opens TCP port 1029 on the victim machine in order to receive commands. The backdoor offers a malicious remote attacker full access to the infected computer. In addition to this, files can be downloaded from the Internet and launched on the victim machine.

Payload

Kipis.a attempts to detect and terminate processes which contain the following text strings:

___r.
___synmgr.
avmon
blackice
bscanx
bupw.
dec25.
duba
ewall
filemon.
frw.
gate
guard.
kav
kerio
maniac.
mcafee
nav
nprotect
outpost
regmon.
rfw.
rising
safe
skynet
sphinx.
suchost.
svchosl.
symantec
systra.e
taumon
update
upgrade
winit.
zonealarm

Print

Share

Malicious programs

Viruses and worms

Email-Worm

Email-Worms spread via email. The worm sends a copy of itself as an attachment to an email message or a link to its file on a network resource (e.g. a URL to an infected file on a compromised website or a hacker-owned website).

In the first case, the worm code activates when the infected attachment is opened (launched). In the second case, the code is activated when the link to the infected file is opened. In both case, the result is the same: the worm code is activated.

Email-Worms use a range of methods to send infected emails. The most common are:

using a direct connection to a SMTP server using the email directory built into the worm’s code
using MS Outlook services
using Windows MAPI functions.

Email-Worms use a number of different sources to find email addresses to which infected emails will be sent:

the address book in MS Outlook
a WAB address database
.txt files stored on the hard drive: the worm can identify which strings in text files are email addresses
emails in the inbox (some Email-Worms even “reply” to emails found in the inbox)

Many Email-Worms use more than one of the sources listed above. There are also other sources of email addresses, such as address books associated with web-based email services.

Aliases

Email-Worm.Win32.Kipis.a (Kaspersky Lab) is also known as:

Virus: W32/Kipis.a@MM (McAfee)
W32/Kipis-A (Sophos)
Worm.Stration.QR-1 (ClamAV)
W32/Kipis.A.worm (Panda)
W32/Sdbot.BPQ (FPROT)
Worm:Win32/Kipis.A@mm (MS(OneCare))
Win32.HLLM.Dasha (DrWeb)
Win32/Kipis.A worm (Nod32)
Win32.Madon.A@mm (BitDef7)
Win32:Kipis@MEW [Wrm] (AVAST)
Email-Worm.Win32.Brontok (Ikarus)
I-Worm/Kipis.A (AVG)
WORM/NetSky.AE (AVIRA)
W32.Kipis.A@mm (NAV)
Kipis.A@mm (Norman)
W32/Kipis.a@MM (NAI)
WORM_KIPIS.A (PCCIL)
Worm.Kipis.b (Rising)
W32/Kipis.A@mm [Orion] (FSecure)
WORM_KIPIS.A (TrendMicro)