WORM_KRYPTK.SMUE
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This worm arrives via removable drives. It may be unknowingly downloaded by a user while visiting malicious websites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It may be unknowingly downloaded by a user while visiting malicious websites.
Installation
This worm drops the following copies of itself into the affected system and executes them:
- %System%\intelgfx32.exe
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Other System Modifications
This worm adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\AppCompatFlags\
Layers
%System%\intelgfx32.exe = DisableNXShowUI
Propagation
This worm creates the following folders in all removable drives:
- .BootCfg
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[Autorun]
open={malware path and filename}
icon=%windir%\system32\SHELL32.dll,4
action=Open drive to view files with Explorer
shell\open=Open
shell\open\command={malware path and filename}
shell\open\default=1
shell\explore=Explore
shell\explore\command={malware path and filename}
shell\search=Search...
shell\search\command={malware path and filename}
useautoplay=1