Weekly Report on Viruses and Intruders – Kelvir.EO worm, Kukudro.A virus and Downloader.JIH trojan

Kelvir.EO is a worm with backdoor functions. It spreads by exploiting certain Windows vulnerabilities in the LSASS, RPC DCOM, Workstation Service and Plug and Play services, and then transfers a copy of itself using its own FTP server. Once it has infected a computer it installs a rootkit, detected as Ruffle.A, in order to disguise its actions. The worm connects to an IRC server which, in turn, connects to a certain channel in order to run commands that, among other things, can obtain passwords stored in Protected Storage, which contains the passwords for programs including Outlook and Internet Explorer. Kelvir.EO also allows attackers to terminate processes, get data about the infected system, and update or eliminate the worm’s code.

Kukudro.A is a macro virus that drops the Downloader.JIH Trojan on infected computers, creating a file called 66INSE_1.EXE, a copy of the Trojan, in the hard disk root directory. It does this using an old vulnerability, described in bulletin MS01-34, to avoid the security warning about macros included in Word documents and run its own code automatically. Kukudro.A cannot propagate automatically by itself and therefore needs user interaction in order to spread. The virus spreads in emails with an attachment called My_notebook.doc. This file includes the specifications of a range of different laptop computers.

Finally, Downloader.JIH is a Trojan that downloads the Sality.S virus onto computers. This virus infects executable files and can terminate security processes and capture system information. Once the Trojan is run, it connects to a series of web pages to download an executable file which it then saves on the infected computer under a random name. Downloader.JIH cannot spread by itself, but has to be dropped by other malware, in this case Kukudro.A, or executed by users as an email attachment or a file downloaded from the Internet or P2P networks.