W32.Kaxela.A


Aliases: W32/Kaxela.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 21 Sep 2007
Damage: Medium

Characteristics: The W32.Kaxela.A is an autorun worm that retrieves files that may compromise system security. It can copy itself to every drive in the affected machine. The Autorun feature of Windows is exploited by this worm because it can allow EXE file on drives to be immediately run when a drive is used. The Autorun function uses the autorun.inf file. This file’s task is to monitor the system’s drives. In the event that it locates the autorun.inf file, it will carry out the instructions written on it.

More details about W32.Kaxela.A

The W32.Kaxela.A worm will create a DLL and EXE file with 8 random characters as its filename once executed in the compromised machine. It then copies itself to every removable and local drive it can find in the system and creates an autorun.inf file so that the worm will run when the infected drive is opened. Next, the malware will create a registry entry and then modify another one so that it can alter the Internet Explorer’s home page and reroute it to a potentially malicious site. This autorun worm will likewise delete a registry subkey and pass itself off as a service by creating a registry subkey. Then, the security risk will retrieve a configuration file from one of its predetermined URLs.

The file downloaded by the W32.Kaxela.A worm will contain information pertaining to a site that permits the updating of the worm and the site where the home page of Internet Explorer will be redirected. This file permits the malware to download potentially dangerous files on the infected machine and contacts 3 other URLs. Get rid of the worm by making sure that the system restore option is disabled and then opening the Windows Task Manager. Find the auto.exe file in the list of running processes and then terminate it. Exit the Windows Task Manager and then proceed to delete values added by the worm to the registry.