Aliases: I-Worm.Kergez.c, W32/Kergez.worm, Backdoor.Kergez, Win32.HLLW.Kergez.2, Troj/Kergez-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: N/A
Geographical info: North America
Removal: N/A
Platform: W32
Discovered: 06 Aug 2003
Damage: N/A

Characteristics: W32.Kergez.C@mm is a mass-mailing worm that propagates itself through email addresses in files with .asp, .htm, and .php extensions. The email messages will contain: Subject: Re: New Security Vuln and Attachment: Virus_Guard.exe. The worm is Microsoft Visual C++ written and UPX packed.

More details about W32.Kergez.C@mm

W32.Kergez.C@mm is a mass-mailing worm that spreads through email. It specifically spreads by sending email messages to email addresses it finds in files that have the extensions .asp, .htm, and .php. After W32.Kergez.C@mm is executed, it may copy itself to %Windir%\Kangaroo.exe and %System%\Internat67.exe. It may also add values to the registry to ensure that it runs every after Windows starts up. The worm attempts to terminate certain processes especially those related to security processes (e.g. Firewall, Alarm, Secure, Clean, Anti, etc). The worm sends itself to all the email addresses it finds in files that have .asp, .php, and .htm extensions. The email messages contain the subject “New Security Vuln”, a body that contains the message “Are you vulnerable to identity theft…”, and an attachment named Virus_Guard.exe.

The worm W32.Kergez.C@mm can be manually removed from the system. First of all, the System Restore function must be temporarily disabled to ensure effective virus removal. Then, update the virus definitions. Use a reliable antivirus software program to run a full system scan on the computer. Delete all files that are detected as W32.Kergez.C@mm. Edit the Win.ini file. Reverse any changes made in the registry. Before making any changes in the registry, it is advised that you back up the registry. Mistakes in the registry can have serious consequences like permanent data loss or corrupted files. Reboot the computer and rescan the system to double check if the threat has been totally eliminated.