W32.HLLW.Kickin.A@mm

Printer Friendly Page

Discovered: May 05, 2003
Updated: February 13, 2007 12:01:01 PM
Also Known As: W32.HLLW.Cydog.C@mm, Win32.Kickin.A [CA], W32/Kickin@MM [McAfee]
Type: Worm
Systems Affected: Windows


W32.HLLW.Kickin.A@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the email addresses that it finds in the following address books:

  • .NET Messenger
  • MSN Messenger
  • Yahoo Pager
  • Windows
  • ICQ Address Books

    The worm also sends itself to the email addresses from the files whose extensions contain the letters ht or ml. The email message has a randomly chosen subject line, message body, and attachment filename. W32.HLLW.Kickin.A@mm spoofs the sender's email address. The attachment has the extension .com, .exe, .scr, or .pif.

The worm also attempts to spread itself through the Morpheus, Bearshare, and Edonkey2000 file-sharing networks, and through mIRC. This worm terminates some antivirus and firewall processes.

This threat is written in the Microsoft C++ programming language and is compressed with UPX.

NOTE: Virus definitions dated prior to May 8, 2003 may detect this as W32.HLLW.Cydog.C@mm.



A minor variant which displays the same functionality as the original was discovered on May 7, 2003. Detection for this variant is included in virus definitions dated May 8, 2003 and later.

Antivirus Protection Dates

  • Initial Rapid Release version May 06, 2003
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version May 06, 2003
  • Latest Daily Certified version August 09, 2016 revision 001
  • Initial Weekly Certified release date May 07, 2003

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Writeup By: Yana Liu

Discovered: May 05, 2003
Updated: February 13, 2007 12:01:01 PM
Also Known As: W32.HLLW.Cydog.C@mm, Win32.Kickin.A [CA], W32/Kickin@MM [McAfee]
Type: Worm
Systems Affected: Windows


When W32.HLLW.Kickin.A@mm runs, it does the following:

  1. Copies itself as %Windir%\CyberWolf.exe. The file attributes are set to Hidden and System.

    NOTE: %Windir% is a variable. The worm locates the Windows installation folder (by default, this is C:\Windows or C:\Winnt) and copies itself to that location.

  2. Copies itself to the %System% folder as the following files:
    • Kernel32.exe
    • Api Hooking-Tutorial.exe
    • Christina Aguilera-The most beautiful girl on earth.scr
    • FixSql.com
    • Hotmail Hacker.exe
    • HowTo-SARS.exe
    • Last Summer.scr
    • Love.scr
    • Magical-Screensaver.scr
    • MsnMsgs.exe
    • OutWar Demo.exe
    • Setup.exe
    • Soccer Database.exe
    • Saddam-the real pics.scr
    • Virtual Joke.scr
    • Q30215HOTFIX.pif
    • WinExec.bin
    • Winlogon.sys

      The attributes of these files may be set to Read only, Hidden, and System.

      NOTE: %System% is a variable. The worm locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

  3. Adds the values:

    "CyberWolf"="%Windir%CyberWolf"
    "Windoes Kernel"="%System%\kernel32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    so that the worm runs when you start Windows.

  4. Adds the subkey: REGEDIT.EXE

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

    and set the default value to:

    "(Default)"="%System%\kernel32.exe"

    so that when you try to run Regedit.exe, the copy of the worm, %System%\Kernel32.exe, runs.

  5. Adds the subkey: MSCONFIG.EXE

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

    and sets the default value to:

    "[Default]"="%System%\kernel32.exe"

    so that each time you try to run Msconfig.exe, the copy of the worm, %System%\kernel32.exe, runs.

  6. Adds the value:

    "system"="%System%\kernel32.exe"

    to the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

  7. Modifies the default value of the registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\exefile\shell\open\command

    to

    "[Default]"="%System%\kernel32.exe"

  8. In the registry key:

    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
    Explorer\Advanced

    modifies the values to:

    "Hidden"=2
    "HideFileExt"=1

  9. Closes any windows whose name is one of the following and terminates the associated process:
    • Norton AntiVirus
    • LiveUpdate
    • System Configuration Utility
    • Process Viewer
    • Register-Editor
    • Windows Task Manager

  10. Attempts to terminate the antivirus and firewall processes. The worm inventories the active processes, and if the name of process is one of the following, it attempts to terminate the process:
    • COMMAND
    • SYSHELP
    • RAVMOND
    • WINRPC
    • WINHELP
    • WINGATE
    • NPROTECT
    • CLEANER
    • TASK
    • TASKMGR
    • MSCONFIG
    • REGEDIT
    • ANTI-TROJAN
    • BLACKICE
    • ZONEALARM
    • PROT
    • NVC95
    • FP-WIN
    • IOMON98
    • PCCWIN98
    • F-PROT
    • F-STOPW
    • NAVWNT
    • NAVRUNR
    • NAVLU32
    • NAVAPSVC
    • VSMON
    • SYMPROXYSVC
    • RESCUE32
    • NISSERV
    • VSECOMR
    • VETTRAY
    • TDS2-NT
    • CCAPP
    • SCAN32
    • PCFWALLICON
    • NSCHED32
    • SPHINX.EXE
    • FRW.EXE
    • MCAFEE
    • ATRACK
    • PVIEW
    • LUCOMSERVER
    • LUALL
    • NMAIN
    • NAVW32
    • NAVAPW32
    • VSSTAT
    • VSHWIN32
    • AVSYNMGR
    • AVCONSOL
    • WEBTRAP
    • POP3TRAP
    • PCCMAIN
    • PCCIOMON
    • ESAFE.EXE
    • AVPM.EXE
    • AVPCC.EXE
    • AMON.EXE
    • ALERTSVC
    • ZAPRO
    • AVP32
    • LOCKDOWN2000
    • AVP.EXE
    • CFINET32
    • CFINET
    • ICMON
    • SAFEWEB
    • WEBSCANX

  11. Retrieves the location of the KaZaA download folder from the registry. If KaZaA is installed in the infected system, it copies itself to the download folder as the following:
    • AIM Remote Password Cracker.exe
    • Chaos Ip Spoof 2003.exe
    • FTP Cracker-2003(Crack the password of ANY FTP server with this tool!).exe
    • Hotmail Exploiter 2003.exe
    • Msn Messenger Remote Password Cracker 2003.exe
    • Netbios hacker.exe
    • Ultimate HackProg.exe
    • Virus Creation ToolKit-VX v7.1_create virii with this tool,Klez.H and Sircam has been created with version 6.exe
    • WebAttack-DoS Tool.exe
    • XNuker 2003.exe
    • Yahoo Remote Password Cracker Deluxe 2003.exe

  12. Copies itself to the following folders, if the folders exist:
    • C:\Program Files\Morpheus\My Shared Folder
    • C:\Program Files\Bearshare\Shared
    • C:\Program Files\Edonkey2000\Incoming

      as the following files:
      • Chaos Ip Spoof 2003.exe
      • Hotmail Exploiter 2003.exe
      • Msn Messenger Remote Password Cracker 2003.exe
      • Netbios hacker.exe
      • Ultimate HackProg.exe

        NOTE: The attributes of these files may be set to Read only, Hidden, and System.

  13. If mIRC is installed, the worm modifies the Script.ini file to send a copy of itself as Magical-Screensaver.scr to other mIRC users.

  14. Retrieves the current user's name, email address, and SMTP server's IP address from the registry.

  15. Locates the address book files of .NET Messenger, MSN Messenger, Yahoo Pager, Windows, and ICQ in the registry. Then, the worm retrieves the email addresses from those files. The worm also retrieves the email addresses from the files whose extensions contain the letters ht or ml.

  16. Uses its own SMTP to send itself to all the email addresses it finds. The email has the following characteristics:

    From: Lovergirl@hotmail.com
    Subject: Do you remember last summer?
    Attachment: Last Summer.scr
    Message:
    hi
    Do you remember we met last summer?
    We became very good friends at the end huh!
    Well i looked a bit over internet and i encountered your Email,so i thought why not send him the pics from last summer
    I've attached them in this email,there in ScreenSaver format,pls reply to me if you liked them
    See you soon again xxx
    Love ya...

    From: Webmaster@planet-source-code.com
    Subject: Api Hooking Tutorial...
    Attachment: Api Hooking-Tutorial.exe
    Message:
    Did you wanted to learn how to api hook?
    Here your chance!This tutorial explains all the basics AND moderate Api Hookings
    Starting by hooking Registry Keys,Till hiding files from view in Windows Explorer
    After reading this tut you can even start Windows RootKit Programming but ofcourse thats up to you to decide...
    The Tutorial attached in this e-mail is for privat use only and may never be distributed under any curcumstances
    Provided to you by: Webmaster<Webmaster@planet-source-code.com> and www.planet-source-code.com

    From: Support@microsoft.com
    Subject: Windows Hotfix!
    Attachment: Q30215HOTFIX.pif
    Message:
    Attached is the HotFix for several bugs in Windows Operating Systems.
    The following Windows versions are vulnerable:
    Windows Xp home and Pro edition (with/without SP1)
    Windows ME,2000 and NT Home and Pro Edition(With/without SP)
    Windows 98 Home,Pro and Special Edition(With/without SP)
    The following Windows Operating Systems are not vulnerable:
    Windows 95(All editions With or Without Sp
    Microsoft IIS(all versions)
    If your Operating System is one of the vulnerable systems listed above then Microsoft Corp. recommends you to install this HotFix
    If you for some reason didn't install this hotfix,then your pc will be vulnerable to this bugs allowing an attacker to Remote Control your pc,or beeing infected with the infamous SqlSlammer.
    Because this is an critical bug,Microsoft Corp. has send this HotFix to all of his customors who use one of the OS's.
    For more information about this bug or about Microsoft Corp.,please visit www.microsoft.com
    Presented to you by:Microsoft HelpDesk<Support@microsoftcom>

    From: SecurityResponse@symantec.com
    Subject: Warning from Symantec.com
    Attachment: FixSql.com
    Message:
    5/4/2003 A NEW INTERNET WORM HAS BEEN FOUND IN THE WILD
    A new very dangerous internet worm has been found in the wild.This worms goes under the name W32.SqlSlammer.C@mm and has the possibility to
    spread by several ports on your pc(139,25,445,446,10252).
    It will infect you without your knowlegde because it uses the Sql Buffer Overflow exploit.Because of this its very hard for Av companies and Microsoft to
    contain this thread.Thats why we decided to protect our customors by sending then SqlFix and thus protecting them from infection.
    After installation the fix will determine if the SqlSlammer.C has infected your pc and clean it.If it didn't infect it then it will make sure it will never infect you by closing the bug in your OS.
    Simply run the attached fix and wait for the dialog to prompt,select the <Full Clean> feature and wait till its finished.
    Sincerely,
    Symantec Security Response Team
    Symantec Corporation

    From: Admin@hackers.com
    Subject: u wanted to hack?
    Attachment: Hotmail Hacker.exe
    Message:
    hi there,so you wanted to hack your friends hotmail account huh,well use this xss-exploit tool to find his password within 3 minutes!!
    Simply open it and enter your victims email ID and select <hack>
    This will also work on Yahoo and Icq accounts
    Admin@hackers.com

    From: Lovergirl963@hotmail.com
    Subject: Do you remember last summer?
    Attachment: Last Summer.scr
    Message:
    hi
    Do you remember we met last summer?
    We became very good friends at the end huh!
    Well i looked a bit over internet and i encountered your Email,so i thought why not send him the pics from last summer
    I've attached them in this email,there in ScreenSaver format,pls reply to me if you liked them
    See you soon again xxx
    Love ya...

    From: Lovergirl963@hotmail.com
    Subject: Fwd:Fwd:Fwd:Sit back and be surprised...
    Attachment: Magical-Screensaver.scr
    Message:
    Magic in CyberSpace,its almost unbelievable!
    1)Pick 3 numbers and write them down on a paper.
    2)Add one of the following values to the 3 numbers:Love,Friendship and Sex.Write these values next to the number
    3)Pick 1 additional number and say it out loud 5 times
    4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper.
    5)Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep.
    6)Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16.
    You don't have to forward this email but then your friends won't get the chance to make their dreams come tru,So if you want your friends to be happe,simply mail them the magic...
    Be aware!No cheating allowed,Once you have written those names and values on your paper you cannot chance them!!!

    From: Admin@screensavers.com
    Subject: The Magic screensaver
    Attachment: Magical-Screensaver.scr|
    Message:
    Check out this magic screensaver.Its pure magic!!!
    Follow these steps for the magic:1)Pick 3 numbers and write them down on a paper.
    2)Add one of the following values to the 3 numbers:Love,Friendship and Sex.Write these values next to the number
    3)Pick 1 additional number and say it out loud 5 times
    4)Now the sticky part:Choose 3 names of girls/boys who you like and write them below on that paper.
    )Now open the Magical screensaver i attached,wrap the paper in your left hand and close your eyes until you here the beep.
    )Open your eyes again and look at the screen.What the screensaver displayed will be personal,so you'll have to be alone in your room.Everything the screensaver displays will come tru within the next 2 months,Only the Sex part will come tru when your above 16.
    Presented by Admin@screensavers.com

    From: ebmaster@Loveforlife.com
    Subject: Feel the reason why we fall in love...
    Attachment: Love.scr
    Message:
    It takes One minute to find someone special
    One hour to like someone
    1 Day to fall in love with someone
    But it takes a lifetime to forget someone.
    If you have ever been in love then you'll know about what i am talking.
    If you wanne have that same old feeling then open the lovescreensaver and realise why we fall in love all the time...
    Feel the reason why we fall in love...

    From: Webmaster@Outwar.com
    Subject: Outwar is proud to present you:Outwar InterActive
    Attachment: OutWar Demo.exe
    Message:
    After beeing succesfull for quit some years now and having more then 20000 clients,it was time for something new.
    Thats why we decided to take our OutWar into the game market and developed OurWar InterActive
    This game will be in shops late summer and will cost about 36$.
    It will be avaible across the Usa,Europe,Australia and Asia.Our release for Africa is scheduled early 2004.
    Because this will mean a lot of waiting,we developed the first Official OutWar Int. Demo!
    The attached file contains Installation Packet for the downloader.
    Install it and download the game from our Private FTP servers,and then enjoy it on your home pc!.
    Sincerely yours
    Webmaster@outwar.com

    From: Soccerfan@yahoo.com
    Subject: Fwd:Fwd:Fwd:Soccer...
    Attachment: Soccer Database.exe
    Message:
    Ever wanted to see the best goals,the most beautiful freekicks etc.with just 2 clicks with your mouse?
    Ever wanted to acces the largest Soccer Database on the internet where all goals from more then 25 international competitions from the past 15 years are stored?
    Here is your chance,this program has instant acces it,so you can enjoy how Diego Maradonna scored <with the hand of god>,or how Johan Cruyff curled
    hat ball into the goal...Enjoy!
    The database contains goals from countries like:Spain,Italy,France,Germany,England,Belgium,The Netherlands,Sweden,Finland and much more
    Also forward this to all football fans you know so they can enjoy this to.

    From: Webmaster@beautifulgirls
    Subject: Christina Aguilera:The most beautiful girl on earth
    Attachment: Christina Aguilera-The most beautiful girl on earth.scr
    Message:
    Don't you think Christina Aguilera is the most beautiful girl on earth?
    She is soo nice!!!
    That clip <Dirrty> was amazing...
    If you wanne see some hidden pics of that videoclip then check out this screensaver
    Its nice...Very nice,if you get what i mean ;)
    Webmaster@beautifulgirls.com

    From: webmaster@screensavers.com
    Subject: Saddam a live and kickin
    Attachment: Saddam-the real pics.scr
    Message:
    The whole world wants to know it,is saddam a live,or death?
    Well somedays a go the britisch took secret spy cam pics,and luckely someone has uploaded this pics to the internet,and now their avaible!
    You won't believe what you see!its amazing!!!The spy cam was hidden inside a tower in Bagdad and it took pics from saddam and his sons,they our 250m beneath the ground!
    Check out the pics i attached,you won't believe what you see!

    From: Admin@jokes.com
    Subject: The Virtual Joke...
    Attachment: Virtual Joke.scr
    Message: Have you seen it yet?
    You should because its soooooo funny,i wish the real jokes where that funny :)
    Check out the attached screensaver and enjoy the pleasure of laughing...

    From: flipbabe@hotmail.com
    Subject: Fwd:Fwd:Whats really happening in bagda
    Attachment: Saddam-the real pics.scr
    Message:
    Someone of the britisch army has made some Secret Spy Cam pics,and uploaded it to the internet!!
    The pics show you exactly whats reall happened in Irak!Its really not what you've seen on tv!
    Check out the attached file and forward this to as much friends so that they can all see what has really happened in Irak.
    FlipBabe xxx

    From: mailinglist@Msn.com
    Subject: Get the new Msn 5.1!
    Attachment: MsnMsgs.exe
    Message:
    Tired of the little nicknames in Msn,tired of all the limits?
    Well we've got news for you,Msn 5.1 is the newest and best msn messenger ever!
    It allows nicknames up to 500 characters and has many new functions who will make your cyberlife easyier and better!
    Msn Messenger 5.1 is avaible for following Operating Systems:
    Windows Xp
    Windows ME and 2000
    Windows 98 and NT
    Is not avaible for:Windows 95
    This version of msn messenger supports also Api's in Windows Xp so you can make your own addons.
    To download Msn Messenger 5.1 install the attached Root Setup.
    WARNING:MSN MESSENGER IS NOT AVAIBLE FOR DOWNLOAD AT OUR WEBSITE DUE TO JURIDICAL RESTRICTIONS,IF YOU WANT IT YOU'LL HAVE TO INSTALL THE ROOT SETUP.
    If you don't want to install it then you'll have to wait for another 5 weeks because of the juridical restricions.
    Please do not forward this email.Every user who has Msn Messenger installed will receive this email sooner or later,so its up to them to decide to use the new version of not
    Sincerely yours:
    The Msn Messenger Team
    The Hotmail Team

    From: mailinglist@healthcare.com
    Subject: How to protect yourself against SARS
    Attachment: HowTo-SARS.exe
    Message:
    SARS aka. Severe Acute Respiratory Syndrome is a worldwide health threat.
    It was first discovered in China
    But now,it has become a very big thread to all people in this world
    If no vaccin is found,soon more then 500.000 people will be infected with it
    This vaccin is not yet made,so within this time the ONLY protection humans have is prevention of infection
    Thats why we of HealthCare launched a project in which we will send newsletters with information about SARS and with prevention rules.
    Symptoms:High Fever(>38°C) AND one or more respiratory symptoms including cough, shortness of breath, difficulty breathing
    Also be aware of the following:close contact with a person who has been diagnosed with SARS AND a recent history of travel to areas reporting cases of SARS
    In addition to fever and respiratory symptoms, SARS may be associated with other symptoms including: headache, muscular stiffness, loss of appetite, malaise, confusion, rash, and diarrhea.
    Until more is known about the cause of these outbreaks, WHO (World Health Organization) recommends that all people read the attached instructions of howto prevent beeing infected with SARS and what to do when infection has occurred
    For more information contact:
    Dick Thompson - Communication Officer
    Communicable Disease Prevention, Control and Eradication WHO, Geneva
    Telephone: (+41 22) 791 26 84
    Email: thompsond@who.int

  17. Opens the Web browser window to one of the following Web sites:
    www.indiansnakes.cjb.net.
    www.christinaaguilera
    www.brain-hack.com

  18. Creates the text file, %Windir%\CyberWolf.txt, if the current day is Monday or Wednesday.

  19. Runs many instances of itself if the current date is the 30th of any month.


Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.

Writeup By: Yana Liu

Discovered: May 05, 2003
Updated: February 13, 2007 12:01:01 PM
Also Known As: W32.HLLW.Cydog.C@mm, Win32.Kickin.A [CA], W32/Kickin@MM [McAfee]
Type: Worm
Systems Affected: Windows



The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Update the virus definitions.
    Restart the machine in Safe mode.
  2. Delete the values that were added to the registry.
  3. Run a full system scan and delete all the files detected as W32.HLLW.Kickin.A@mm.
For specific details on each of these steps, read the following instructions.

1. Updating the virus definitions
Symantec Security Response fully tests all the virus definitions for quality assurance before they are posted to our servers. There are two ways to obtain the most recent virus definitions:
  • Running LiveUpdate, which is the easiest way to obtain virus definitions: These virus definitions are posted to the LiveUpdate servers once each week (usually on Wednesdays), unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, refer to the Virus Definitions (LiveUpdate).
  • Downloading the definitions using the Intelligent Updater: The Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). You should download the definitions from the Symantec Security Response Web site and manually install them. To determine whether definitions for this threat are available by the Intelligent Updater, refer to the Virus Definitions (Intelligent Updater).

    The Intelligent Updater virus definitions are available: Read "How to update virus definition files using the Intelligent Updater" for detailed instructions.

2. Deleting the values added to the registry

CAUTION : Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. Read the document, "How to make a backup of the Windows registry ," for instructions.

Because the worm modified the registry so that you cannot run the .exe files, first make a copy of the Registry Editor as a file with the .com extension, and then run the file.
    1. Do one of the following, depending on the version of Windows you are running:
      • Windows 95/98 users:
        1. Click Start.
        2. Point to Programs.
        3. Click the MS-DOS Prompt. (A DOS window opens at the C:\Windows prompt.) Proceed to step b of this section.
      • Windows Me users:
        1. Click Start.
        2. Point to Programs.
        3. Point to Accessories.
        4. Click the MS-DOS Prompt. (A DOS window opens at the C:\Windows prompt.) Proceed to step b of this section.
      • Windows NT/2000 users:
        1. Click Start, and then click Run.
        2. Type command, and then press Enter. (A DOS window opens.)
        3. Type cd \winnt, and then press Enter.
        4. Go to step b of this section.
      • Windows XP users:
        1. Click Start, and then click Run.
        2. Type command, and then press Enter. (A DOS window opens.)
        3. Type the following commands (pressing Enter after typing each one):

          cd\
          cd \windows
        4. Proceed to step b of this section.

    2. Type the following:

      copy regedit.exe regedit.com

      and then press Enter.

    3. Type the following:

      start regedit.com

      and then press Enter. (The Registry Editor will open in front of the DOS window.)

      After you finish editing the registry, exit the Registry Editor, and then exit the DOS window.

    4. Before you continue, Symantec strongly recommends backing up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified keys only. For instructions, read the document, "How to make a backup of the Windows registry."

    5. Navigate to and select the key: HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command.

      NOTE: The HKEY_LOCAL_MACHINE\Software\Classes key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files, ending with a .exe extension, from running. Make sure that you completely browse through this path until you reach the \command subkey.

      Modify the HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\open\command subkey, as shown:

      <<=== NOTE: Modify this key.

    6. In the right pane, double-click the (Default) value.

    7. Delete the current value data, and then type: "%1" %* (That is, type the characters: quote-percent-one-quote-space-percent-asterisk).

      NOTES:
      • In Windows 95/98/Me/NT, the Registry Editor automatically encloses the value within quotation marks. When you click OK, the (Default) value should look exactly like this:

        ""%1" %*"  
      • In Windows 2000/XP, the additional quotation marks will not appear. When you click OK, the (Default) value should look exactly like this:

        "%1" %*
      • Make sure that you completely delete all the value data in the command key before typing the correct data. If you leave a space at the beginning of the entry, any attempt to run the program files will result in the error message, "Windows cannot find .exe." If this occurs, restart the entire process from the beginning of this document, and make sure that you completely remove the current value data.

    8. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    9. In the right pane, delete the values:

      "CyberWolf"="%Windir%CyberWolf"
      "Windoes Kernel"="%System%\kernel32.exe"

    10. Navigate to and delete the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\REGEDIT.EXE

    11. Navigate to and delete the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSCONFIG.EXE

    12. Navigate to the key:

      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    13. In the right pane, delete the values:

      "system"="%System%\kernel32.exe"

    14. Exit the Registry Editor.


    3. Scanning for and deleting the infected files
    1. Start your Symantec antivirus program and make sure that it is configured to scan all the files.
    2. Run a full system scan.
    3. If any files are detected as infected with W32.HLLW.Kickin.A@mm, click Delete.



    Writeup By: Yana Liu