|
Description:
This memory-resident worm drops several copies of itself into various folder locations on the affected system, depending on the platform of the affected user. It then overwrites the file AUTOEXEC.BAT, which is located in C:\, with the following string:
pause
This modification causes the affected system to pause on startup, requiring the user to press any key to resume.
This worm disables the CMD command. Hence, users cannot run Command Prompt on affected systems. It also disables the Registry Editor, hence, users cannot access this application. It also disables the Folder Options item from all Windows Explorer menus, hence, users cannot change the settings under Tools>Folder Options in Windows Explorer.
It also restarts the system if it finds an open window with the strings .EXE and Registry in the title bar.
This worm propagates by sending a copy of itself to email messages. The following are the details of the email it sends:
Subject: {blank}
Attachment: Kangen.exe
The file KANGEN.EXE is a copy of this worm. It uses a folder as its icon to trick users into opening it, effectively executing this worm. Upon execution, it opens a Windows Explorer window in an attempt to hide its process.
For additional information about this threat, see:
Solution
Technical Details
Description created: Oct. 11, 2005 12:33:21 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
