W32.Kamil


Aliases: Email-Worm.Win32.Kamil, I-Worm.Kamil, Kamil, Win32.HLLM.Generic.96, Trojan:Win32/Kamil 
Variants: WORM_KAMIL.A, Win32:Trojan-gen, Trojan.Win32.Kamil.A, W32/Kamil.A.worm, Win32/Kamil.A 

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: Slow
Geographical info: Asia, North America, Europe
Removal: Hard
Platform: W32
Discovered: 01 Aug 2002
Damage: Medium

Characteristics: The Trojan W32.Kamil is a downloader Trojan that will try to download a W32.BleBla worm variant from a predetermined remote location. It may likewise download other security threats onto the infected computer system. The W32.BleBla worm’s new variant is the W32.BleBla.J.Worm. This downloader Trojan is also capable of transferring all files from the Desktop and Windows folders to the Nur_Mohd_Kamil in the C:\ drive.

More details about W32.Kamil

Upon execution in the host machine, the W32.Kamil Trojan will display a message stating ‘Loading Nur_Mohammad_Kamil Please Wait’. It then creates a folder for its files. Next, it will transfer documents from the folders Windows, Desktop and My Documents to the folder it has created and then copy its main file to the system. It will then rename the Fileter.dat to another filename and then show the message ‘Nur_Mohammad_Kamil successfully update Done’. This Trojan will also try to modify the home page of Internet Explorer to a site where it will download files from. When the user goes to the website, the malware will try to retrieve an EXE file; the main executable of the W32.BleBla worm. This security threat uses a Flash icon used to fool users into believing that it’s just a Flash movie.

The first file it will create is the Melhacker.vbs file which will be responsible for creating the file Mekhacker.zip. It then creates the Nur_Mohd_Kamil.bat file which is responsible for executing several malicious processes. Next, the Trojan will create the Nmksys32.vxd which is a non-malicious TXT file and the Nmk.htm file which displays pop-up messages. The downloader Trojan will likewise create the Nuhr_Mohd_Kamil.reg file which contains the malware’s registry keys and values that will be run to alter the registry. Lastly, it will create the file Melhacker.zip which contains a corrupted DOS executable file. The Trojan will then proceed to add a value to the registry so that it can execute every time that Windows is restarted.