W97M/Kukudro.C is a macro based Trojan dropper for Microsoft Word. The Trojan arrives in .zip archive via an e-mail attachment that contains a Word document with random name or the attachment could just be a word document. When this word document is opened on a victim machine, the macro silently executes and extracts an executable file (mWChEU.exe). It then executes mWChEU.exe (we detect this as W32/Sality.X).

The auto execution of Microsoft Word Macros is due to the exploit MS01-034 (discovered April 23, 2001, patched June 21, 2001). This is mostly present in out-of-date systems.

Subject of e-mail: varies

Attachment: Could be a zip file with various names or just a word document with random file name. The zip file will contain a word document with random file name

It affects most windows systems that include Windows 95, Windows 98, Windows Me, Windows 2000, Windows NT, Windows Server 2003 and Windows XP.

When word document is opened in Microsoft Word:

1. Decodes and drops an executable file as C:\ mWChEU.exe

2. Executes mWChEU.exe

3. Terminates itself once mWChEU.exe has been executed

4. mWChEU.exe attempts download of a variant of W32/Sality

5. It alters the following Registry setting:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings

GlobalUserOffline=""

6. Creates multiple files C:\Documents and Settings\<USER>\Local Settings\Temp\<filename>.exe

Here <USER> is the name of the current user logged on the Windows system and <filename> is some random name. These files are some random data, only created if the download of W32/Sality fails. If this happens, mWChEU.exe will terminate and delete itself.

The dropped mWChEU.exe contains several encrypted URLs. Some of these, at the time of writing this document, point to non-existent files. One of these encrypted URLs attempts download of a variant of W32/Sality.

The URLs are:

http://airsoft[HIDDEN].com /images/home.gif

http://disp[HIDDEN].ru/home.gif

http://do[HIDDEN].net/home.gif

http://elcuar[HIDDEN]ro.com/home.gif

http://resour[HIDDEN]-media.info/images/home.gif

http://sanhao[HIDDEN]ne.com/images/home.jpg

http://sanh[HIDDEN]line.com/images/home.gif

http://tecr[HIDDEN]i.eresmas.com/images/home.gif

http://tele-[HIDDEN].com/images/home.gif

http://www.ban[HIDDEN]larga.net/home.gif

http://www.barse[HIDDEN]iano.com/home.gif

http://www.cham[HIDDEN]bb.com/home.gif

http://www.dr[HIDDEN]b.com/pix/home.gif

http://www.dr[HIDDEN]b.com/images/home.gif

http://www.fas[HIDDEN]ndrops.com/images/home.gif

http://www.f[HIDDEN].com/images/home.gif

http://www.ha[HIDDEN]allery.ro/images/home.gif

http://www.[HIDDEN]no/home.gif

http://www.j[HIDDEN]sx.com/images/home.gif

http://www.ka[HIDDEN]sky.ru/imagesr/draft/home.gif

http://www.ma[HIDDEN]an.ro/images/home.gif

http://www.m[HIDDEN]v.cz/home.gif

http://www.mus[HIDDEN]jt.wz.cz/home.gif

http://www.r[HIDDEN]f.ro/images/home.gif

http://www.saa[HIDDEN]nterprise.com/images/home.gif

http://www.tam[HIDDEN]samui.com/images/home.gif

http://www.vir[HIDDEN]ist.com/ru/imagesr/vldesign/home.gif

http://www.vir[HIDDEN]st.com/images/home.gif

The encrypted URL that downloads W32/Sality is:

http://www.gl[HIDDEN]dge1.com/home.gif

We detect this as W32/Sality.Z.

W32/Sality is a memory resident file infector. This program will drop a DLL in %System% and then inject this DLL into system processes to hook certain Windows APIs that pertain to file access/manipulation actions. It then resides in memory and infects any portable executable files it finds.

(NOTE: - By default, the local Windows System directory is C:\Windows\System32 (Windows 95/98/Me/XP) or C:\Winnt\System32 (Windows NT/2000)).

Detection
Command Antivirus version 4.93 or higher with definition files dated on the discovery date given above or higher will detect and disinfect this Trojan.

Removal Instructions:

The following are generic instructions for the removal of this worm.

1.       Disable System Restore (Windows XP only). See Item 1 below

2.       Ensure the virus definitions are up to date.

3.       Restart the computer in Safe mode.

4.       Run a full system scan and delete all the files detected as a W97M/Kukudro.C or W32/Sality.Z

5.       Reverse the changes made to the registry. See item 2 below.

For further information, read the following instructions.

1. To disable System Restore (Windows XP)

If you are running Windows XP, we recommend that you temporarily turn off System Restore. Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

The steps for disabling System Restore vary, depending on whether the default Start Menu or the Classic Start Menu is being used.

Default Start Menu
If using the default Start Menu, click Start | Control Panel | Performance and Maintenance | System. Select the System Restore tab and check "Turn off System Restore".

Classic Start Menu
If using the Classic Start Menu, click Start | Settings | Control Panel and double-click the System icon. Select the System Restore tab and check "Turn off System Restore".

After scanning the system and removing the offending malware, re-enable System Restore by repeating the steps, this time removing the check from "Turn off System Restore".

2. To reverse the changes made to the registry.

We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files.

Modify the specified keys only.

a.       Click Start > Run

b.       Type regedit and click OK.

c.        Navigate to the keys mentioned in the description above.

d.       In the right pane, delete the value associated with this worm.

e.       Exit the Registry Editor.