Malware type: Macro

Aliases: Trojan-Dropper.MSWord.Lafool.i (Kaspersky), W97M/Kukudro.a!CME-745 (McAfee), W97M.Kukudro.A (Symantec), W2000M/Kukudro.A (Avira), WM97/Kukudr-Fam (Sophos), Virus:W97M/Kukudro.A!CME-745 (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Microsoft Word 97 on Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this macro virus, refer to the Behavior Diagram shown below.

Malware Overview

This macro virus usually arrives on a system as a Microsoft Word document file dropped by other malware, or as a file downloaded by an unsuspecting user when visiting malicious Web sites. It may also arrive as a .ZIP archived attachment of a manually mass-mailed email message. The attached .ZIP file contains the malicious file, MY_NOTEBOOK.DOC.

When the .DOC file is opened, it uses the Visual Basic for Applications (VBA) macros to drop and execute the file 666INSE_1.EXE in the root folder (usually C:\). Trend Micro detects the said file as TROJ_DLOADER.BKV.

There are two macro routines embedded in the said .DOC file. The first macro uses standard VBA commands to call the second macro routine. The second macro drops the TROJ_DLOADER.BKV. The previous action allows the dropped Trojan to perform its routines on the affected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jun. 27, 2006 1:15:42 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.