W97M/Kukudro.A is a macro based Trojan dropper for Microsoft Word. The Trojan arrives in .zip archive via an e-mail attachment that contains the Word document “my_Notebook.doc”. When this word document is opened on a victim machine, the macro silently executes and extracts an executable file (666inse_1.exe). It then executes 666inse_1.exe (which we detect as W32/Sality.U).

The auto execution of Microsoft Word Macros is due to the exploit MS01-034 (discovered April 23, 2001, patched June 21, 2001). This is mostly present in out-of-date systems.

Subject of e-mail: varies

Attachment: Zip file with various names (e.g.: apple_prices.zip, prices_zip, sony_prices.zip) contains the file my_Notebook.doc

It affects most windows systems that include Windows 95, Windows 98, Windows Me, Windows 2000, Windows NT, Windows Server 2003 and Windows XP.

When my_Notebook.doc is opened in Microsoft Word:

1. Decodes and drops an executable file as C:\666inse_1.exe

2. Executes 666inse_1.exe

3. Terminates itself once 666inse_1.exe has been executed

4. 666inse_1.exe attempts download of a variant of W32/Sality

5. It alters the following Registry setting:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

                GlobalUserOffline=""

The dropped 666inse_1.exe contains three plain-text URLs that, at the time of writing this document, point to non-existent files. It also contains one encrypted URL that downloads W32/Sality.U.

The dummy URLs are:

http://www.ba[HIDDEN]rga.net/ganjubas/my_home.jpg

http://www.h[HIDDEN]di.no/home.jpg

http://www.m[HIDDEN]v.cz/installer/install.txt

The encrypted URL is:

http://www.su[HIDDEN]tor1.com/zmacro.txt

W32/Sality is a memory resident file infector. This program will drop a DLL in %System% and then inject this DLL into system processes to hook certain Windows APIs that pertain to file access/manipulation actions. It then resides in memory and infects any portable executable files it finds.

Detection
Command Antivirus version 4.93 or higher with definition files dated on the discovery date given above or higher will detect and disinfect this trojan.  

Removal Instructions:

The following are generic instructions for the removal of this worm.

1.       Disable System Restore (Windows XP only). See Item 1 below

2.       Ensure the virus definitions are up to date.

3.       Restart the computer in Safe mode.

4.       Run a full system scan and delete all the files detected as a W97M/Kukudro.A or W32/Sality.U

5.       Reverse the changes made to the registry. See item 2 below.

For further information, read the following instructions.

1. To disable System Restore (Windows XP)

If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

Default Start Menu
If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

Classic Start Menu
If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

2. To reverse the changes made to the registry.

We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.

Modify the specified keys only.

a.       Click Start > Run

b.       Type regedit and click OK.

c.        Navigate to the keys mentioned in the description above.

d.       In the right pane, delete the value associated with this worm.

e.       Exit the Registry Editor.