Kickin Worm Spreads Via E-mail, IRC and P2P Applications

The Virus Laboratory at Panda Software, leading antivirus developer, has detected the appearance of a new worm called W32/Kickin. This new malicious code spreads via e-mail using its own SMTP engine, which means it can send itself out to other users, regardless of the e-mail client on the victim’s computer. It also spreads via IRC and P2P applications.

Originating in Austria, W32/Kickin infects Win9x, NT, 2000 and XP and is programmed in Microsoft Visual C 6.00. This worm scours the computer’s memory for a particular series of processes (related to security and antivirus software) and terminates those that it finds active. When it runs on a computer, it sends the following e-mail message, with no attachment, to different antivirus companies:

From: twistmaster13@hotmail.com

Subject:

Hi,i’m 100% sure i’m infected!

Message:

mmm…if you received this mail,then someone has been infected with W32.CyberWolf.B@mm => a new massmailer worm.

For every infection this worm does,you’ll receive an email like this.

It has never been my intention to cause your mailbox any harm,nor mailbomb it.

Its just so that you can have a quite accurate view on how many infections..because most of the times,Av companies are miles away from the real number…

This worm can compose and send a variety of messages which it uses to spread itself. These messages are sent to various addresses in the Windows Address Book (WAB, MSN Messenger, .NET Messenger, ICQ, Yahoo Pager) and even addresses that it gets from HTML pages in the computer under attack (addresses in HTML pages with the tag).

The messages used by W32/Kickin try to trick users into running the infected file with references to topics such as SARS (Severe Acute Respiratory Syndrome), patches, love letters, games, photos of celebrities, etc.

W32/Kickin creates a script.ini file containing its code so as to spread via mIRC. It also copies itself to P2P application shared directories (KaZaA, Bearhsare, Edonkey2000 and Morpheus).

“There are now more and more worms using file sharing applications to spread; not just KaZaA, but other programs like Morpheus, Bearshare or eDonkey-. This is an increasing trend which is seeing the emergence of viruses that take advantage of users’ over confidence and carelessness,” explains Luis Corrons, head of Panda Software’s Virus Laboratory.

Don't miss