Win32.Kipis.A (Ca.com)

Description Published: January 5, 2005
Description Modified: January 6, 2005

Category: Win32
Also known as: W32/Kipis.a@MM (McAfee), W32.Kipis.A@mm (Symantec), W32/Kipis-A (Sophos), Win32/P2P.Kipis.A.Worm, Email-Worm.Win32.Kipis.a (Kaspersky)

Description

Win32.Kipis.A is a worm that spreads via e-mail and network shares. It also terminates a number of processes and can download and execute arbitrary files.

Method of Infection

When executed, Kipis.A copies itself to %Windows% egedit.com and %Windows%Securitysvchost.exe.
Kipis.A uses an icon from an image viewing program in an attempt to trick the user into believing the program is an image.

To this end Kipis also drops a file as %System%Jpg.bmp which it then opens using Mspaint. Due to the way Mspaint reads the file it causes the following error message:

There is not enough memory or recources to complete operation.
Close some programs, and then try again.

Kipis uses the mutex KiPiShx018AxR to avoid running multiple copies of itself.

On Windows 9x machines, Kipis modifies system.ini to ensure that it is executed at Windows start:

SYSTEM.INI
[boot]
Shell=explorer.exe %Windows%Securitysvchost.exe

On NT based machines this is translated into the following registry entry:

HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonshell = ˝Explorer.exe %Windows%Securitysvchost.exe˝

Note: ´%System%´ and ´%Windows%´ are variable locations. The worm determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; for 95,98 and ME is C:WindowsSystem; and for XP is C:WindowsSystem32.The default installation location for the Windows directory for Windows 2000 and NT is C:Winnt; for 95,98 and ME is C:Windows; and for XP is C:Windows.

Method of Distribution

Via Network Shares
Kipis scans logical drives (C: - Z:) looking for fixed-drives or Ramdisks. It then scans all of the directories and sub-directories on these drives looking for possible shared directories to spread through.

Kipis copies itself to any directory containing the word ˝Share˝, excluding directories starting with ˝Microsoft Shar˝, using one or more of the following filenames:

Nude Britney Spears.scr
Nude Pic_07.scr
Virtual Girl 2.01.com
KAV Pro 5.xx keygen.com
DrWeb 4.32 keygen.com
WinXP Sp2 key.com

Via E-mail
Kipis harvests e-mail addresses from the Windows Address Book and by scanning logical drives (C: - Z:) looking for fixed-drives or Ramdisks. It scans all directories and sub-directories on these drives looking for e-mail addresses to harvest in files with one of the following extensions:

txt
adb
htm
doc
dbx
tbb

It may also send itself to one of these addresses carried within the body of the worm:

Cameron dias@love.com
kylie minogue@kylie minogue.com
madonna@madonna.com
Britney Spears@britney spears.com

Kipis avoids e-mail addresses containing any of the following strings:

.gov
.hlp
.mil
.txt
.zip
abuse
accoun
admin
antivir
anyone
avp
bigbrother
bitdef
borlan
bugs
bugtraq
confirm
contact
delphiworld
fido
foo.
google
gov.
guninski
help
hotmail
icrosoft
info
iruslis
latincards
linux
listserv
mailer
moco2k
mozilla
msn.
msoe
mydomai
neohapsis
news
newvir
nodomai
notice
page
panda
pgp
podpiska
postmaster
privacy
rating
register
rfc-
ripe.
secur
sendmail
service
site
soft
software.
sopho
spm111
strike.
support
syman
the.bat
unix
webmaney
webmaster
where
www.

E-mail sent by the worm have a random priority level set.

The sender´s e-mail address is spoofed by appending one of the following names to the domain of the recipient´s address. (e.g. for an e-mail being sent to johnno@silly.domain.com the senders address may be sandra@silly.domain.com)

sandra
mary
bill
tom
linda
stan
mike
anna
adam
maria
rosa
stiv
liza
dasha
alex

Possible Subjects:

Love
Happy New Year
I love you

Possible Message Bodies:

The message body may be blank, or contain one of the following bodies:

Hello! baby :)
support@
Server cannot send message.
_____________________________________________
On all questions address in a support service
support@
_____________________________________________
Attachment:

The filename of the attachment is one of the following:

your present.scr
foto_03.scr
myfoto_04.scr
trax_06.scr
dom2.scr
foto_05.scr

Kipis retrieves the current user´s e-mail address and SMTP server from the following registry values:

HKCUSoftwareMicrosoftInternet Account ManagerAccountsSMTP Email Address
HKCUSoftwareMicrosoftInternet Account ManagerAccountsSMTP Server

If the e-mail address is the same as the one retrieved from the registry, or if the domain of the address matches the SMTP server in the registry, Kipis uses the SMTP server retrieved from the registry.

Otherwise Kipis tries to guess the recipient´s mail-server by appending the following strings to the domain of the e-mail address (for example - for james@nowhere.com the worm would try gate.nowhere.com, ns.nowhere.com, etc)

gate.
ns.
relay.
mail1.
mxs.
mail.
mx1.
mx.
smtp.

Please see below for an example of an e-mail generated by the worm:

Payload

Terminates Processes

Kipis.A terminates processes which contain any of the following strings:

___r.
___synmgr.
avmon
blackice
bscanx
bupw.
dec25.
duba
ewall
filemon.
frw.
gate
guard.
kav
kerio
maniac.
mcafee
nav
nprotect
outpost
regmon.
rfw.
rising
safe
skynet
sphinx.
suchost.
svchosl.
symantec
systra.e
taumon
update
upgrade
winit.
zonealarm

Downloads and Executes Arbitrary Files (Port 1029)
Kipis listens on TCP port 1029, for any incoming connections; Kipis writes any received data to a file (%System%Winlogins.exe) and then executes it.

Analysis by Paul Taylor

More information on CA Virus Information Center:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41312
Computer Associates – the Trusted Source of Security Knowledge